Already this summer, Spotify asked its users to change their login information as the service became the target of a hacker attack.
“Credential Stuffing” attack
The criminals gained access to the data with a “Credential Stuffing” attack, in which user login data is tried out on various services. The attackers often have an easy time of it. Most users use simple passwords and this several times at different services. Passwords like 12345, soccer or starwars are still commonplace. The known login data are then tried out at various portals to gain access. The attack on the access data of Spotify users has only now become officially known. More than 300,000 users were affected.
To carry out the attack, the criminals used a database with more than 380 million entries. The database was discovered by the experts of VPNMonitor. It seems that the database was created by a third party, who exactly created this Elasticsearch database is not known yet. It is a size of 72 GB with passwords, email addresses and the user names. Usually such databases are compiled according to data mishaps and then published in the darknet.
According to the security experts at VPNMonitor, the database was not even encrypted, so they could access all data. Spotify was already informed about this in July this year. Spotify also reacted immediately and reset all the passwords of those affected to render the data useless. However, since many people do not use their passwords just once, this data could also be useful for other services. The criminals will certainly try it or have already tried it! Users should always have different passwords for the different services to avoid exposing themselves to such a danger.