350,000 Spotify Accounts Targeted by Hackers — What to Do

350,000 Spotify Accounts Targeted by Hackers — What to Do

Up to 350,000 Spotify accounts have been targeted by hackers and cracked using reused or weak passwords, security researchers at Israeli website VPNMentor have revealed

While the music streaming service itself has not been hacked, the researchers found an unprotected online database containing approximately 380 million personal records/ These were likely stolen in an old data breach or phishing attack and are not directly related to Spotify However, they provide hackers with a large amount of passwords and credentials to conduct cyber attacks

The database owner used the records to launch a "credential stuffing" attack that tried passwords, usernames, and email addresses (Spotify can use either) to access accounts for multiple online services

Spotify was informed of the situation by VPNMentor researchers in early July and immediately forced all affected users to reset their passwords

However, these users are still susceptible to credential-stuffing attacks on other services where their old Spotify passwords were reused

If you are a Spotify user and have used the same credential set (password and username and/or email address) on other accounts, you should change the passwords on those accounts immediately

Be sure to make your new passwords long, strong, and unique We recommend using the best password manager to create and manage your new passwords

You should also plead with Spotify to offer two-factor authentication (2FA) as a security option to prevent exactly this kind of account takeover

Without a "second" factor, such as a text code, an app-generated code, a specific smartphone, or a physical security key, an attacker cannot break into your account even with a password Most well-known online services already offer 2FA, and it is time for Spotify to join them

Spotify users in the database could also fall victim to phishing attacks and identity theft, VPNMentor researchers warn

"Fraudsters could use the emails and names published by the leak to identify users on other platforms and social media accounts"

"Scammers may also use contact information to directly target users exposed by phishing emails, tricking them into providing sensitive data such as credit card information or forcing them to click on fake links with embedded malware

Of course, this is true every time a major data breach occurs and personal information is compromised Virtually everyone who has ever had an online account has had something exposed; you can check your email address and password at a (safe to use) site called HaveIBeenPwned

Credential stuffing generally works only because most people use the same password for multiple accounts or use simple, common passwords that can be easily guessed [If the password, username, and/or email address linked to one of these accounts is exposed in a data breach or phishing attack, all accounts using those credentials can be accessed, no matter how strong the password credentials, no matter how strong the passwords are

Credential stuffing is not really hacking because the attacker already has the "key" and is using the login software as designed Instead, using the same set of keys for multiple accounts makes it easier for the attacker

Reusing passwords is like having one key for your house, car, office, and home safe Using the top 10,000 or so most commonly used passwords is like having a blank key Either way, if someone gets a copy of that key, you're done

Categories