A database of Spotify Technology SA account details believed to have been compiled by hackers has been found on an unsecured database in a tale that combines not only hacking but also one of the most common forms of data exposure.

Detailed today by researchers Noam Rotem and Ran Locar at vpnMentor, the 72-gigabyte database of 380 million records relating to an estimated 300,000 to 350,000 Spotify users was found on an unsecured Elasticsearch installation. The database included account usernames and passwords verified on Spotify, email addresses and countries of residence.

Where the story takes a twist is that the database doesn’t belong to Spotify. The researchers, along with Spotify believe that the database was compiled by hackers possibly using login credentials stolen from another platform, app or website that had been found to work on Spotify.

The process used here is known as credential stuffing. It involves hackers taking usernames and passwords stolen in one hack, then seeing if the credentials work on other sites and services given that users often reuse passwords across multiple sites.

The database was discovered July 3. Spotify was contacted July 9 with a response the same day. Between July 10 and July 21, Spotify initiated a “rolling reset” of passwords for all users affected meaning the database would be voided and become useless in terms of accessing Spotify accounts.

Although Spotify may have applied a forced password reset for users affected, the fact that the data in the database was likely stolen in another hack where users have reused credentials across multiple sites means that the affected users are still at risk of being hacked on other sites and services.

This may not be the first time account credentials from Spotify are known to have been compiled in this way. In 2016, hundreds of Spotify account records were posted to the website Pastebin with Spotify also saying that the credentials had not come from them.

“Hackers can profit enormously from credentials present in large database leaks such as these,” Ameet Naik, security evangelist at application protection firm PerimeterX Inc., told SiliconANGLE. “Since a large number of users reuse their passwords across multiple services, hackers run credential stuffing attacks to check the validity of these credentials against multiple services.”

These automated attacks, also known as Account Takeover, he added, are growing in size and scope, up 72% over the prior year. “Businesses need to protect their login pages from ATO attacks using bot management solutions,” he said. “Users must use strong, unique passwords on each service and use multi-factor authentication where possible.”

Javvad Malik, security awareness advocate and security awareness training company KnowBe4 Inc., noted that the exposure illustrates that criminals don’t need sophisticated technical hacking abilities to compromise accounts, instead taking advantage of lax security practices on behalf of users.

“Credentials are a particular area in which users are left exposed because they either choose weak passwords, or reuse them across different sites,” he said. “It’s why it’s important that users understand the importance of choosing unique and strong passwords across their accounts and where available enable and use multifactor authentication. That way, even if an account is compromised, it won’t be possible for attackers to use those credentials to breach other accounts.”

Photo: Spotify