A group of hackers have left hundreds of thousands of Spotify passwords unprotected. Hackers allegedly gained access to over 300,000 Spotify accounts using a database of 380 million records containing login credentials and personal information gathered from various sources.
The vpnMentor report details the methods used by cybercriminals to access hundreds of thousands of accounts from the database mentioned above — publicly available online and containing hundreds of millions of entries relating to user login credentials and other data. The database has been actively used to hack accounts for some time, with the source describing some of the ways that criminals use to break into the music streaming service’s defenses.
One of the most commonly used attacks to hack accounts is through so-called “credential stuffing,” which is when threats make use of large collections of data leaked in previous security breaches on other online platforms. These collections contain, in some cases, the combinations of usernames and passwords used on other services, but often users use — wrongly — the same credentials to log in on different online services.
It is not yet known how the 300 million database entries were collected, but it is likely to be a collection of several previous breaches released on the web for free. Researchers believe the records listed in the database allowed attackers to hack 300,000 to 350,000 Spotify accounts. VPNMentor also contacted Spotify on July 9 regarding the exposed database and received a response the same day.
Spotify has sent an email to the users that appeared in the database, asking them to change their password; It is also advisable to change the Spotify password if it is the same one we use in another service.