UPDATED 21:13 EST / NOVEMBER 23 2020

SECURITY

Spotify user credentials compiled by hackers found on unsecured database

A database of Spotify Technology SA account details believed to have been compiled by hackers has been found on an unsecured database in a tale that combines not only hacking but also one of the most common forms of data exposure.

Detailed today by researchers Noam Rotem and Ran Locar at vpnMentor, the 72-gigabyte database of 380 million records relating to an estimated 300,000 to 350,000 Spotify users was found on an unsecured Elasticsearch installation. The database included account usernames and passwords verified on Spotify, email addresses and countries of residence.

Where the story takes a twist is that the database doesn’t belong to Spotify. The researchers, along with Spotify believe that the database was compiled by hackers possibly using login credentials stolen from another platform, app or website that had been found to work on Spotify.

The process used here is known as credential stuffing. It involves hackers taking usernames and passwords stolen in one hack, then seeing if the credentials work on other sites and services given that users often reuse passwords across multiple sites.

The database was discovered July 3. Spotify was contacted July 9 with a response the same day. Between July 10 and July 21, Spotify initiated a “rolling reset” of passwords for all users affected meaning the database would be voided and become useless in terms of accessing Spotify accounts.

Although Spotify may have applied a forced password reset for users affected, the fact that the data in the database was likely stolen in another hack where users have reused credentials across multiple sites means that the affected users are still at risk of being hacked on other sites and services.

This may not be the first time account credentials from Spotify are known to have been compiled in this way. In 2016, hundreds of Spotify account records were posted to the website Pastebin with Spotify also saying that the credentials had not come from them.

“Hackers can profit enormously from credentials present in large database leaks such as these,” Ameet Naik, security evangelist at application protection firm PerimeterX Inc., told SiliconANGLE. “Since a large number of users reuse their passwords across multiple services, hackers run credential stuffing attacks to check the validity of these credentials against multiple services.”

These automated attacks, also known as Account Takeover, he added, are growing in size and scope, up 72% over the prior year. “Businesses need to protect their login pages from ATO attacks using bot management solutions,” he said. “Users must use strong, unique passwords on each service and use multi-factor authentication where possible.”

Javvad Malik, security awareness advocate and security awareness training company KnowBe4 Inc., noted that the exposure illustrates that criminals don’t need sophisticated technical hacking abilities to compromise accounts, instead taking advantage of lax security practices on behalf of users.

“Credentials are a particular area in which users are left exposed because they either choose weak passwords, or reuse them across different sites,” he said. “It’s why it’s important that users understand the importance of choosing unique and strong passwords across their accounts and where available enable and use multifactor authentication. That way, even if an account is compromised, it won’t be possible for attackers to use those credentials to breach other accounts.”

Photo: Spotify

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.