Blonde girl listening to music using a laptop showing credential stuffing attack on Spotify

Credential Stuffing Attack Targeted Spotify, Affecting More Than 300,000 Accounts

Hundreds of thousands of Spotify subscribers may have experienced service disruption during a credential stuffing attack that tried to verify stolen login details against Spotify accounts. Credential stuffing attacks exploit accounts of users who recycle passwords across multiple online services. Attackers use the leaked login credentials to breach other websites by employing automated scripts.

Credential stuffing attack originated from an exposed stolen third-party database

vpnMentor discovered the unsecured Elasticsearch database containing over 380 million records, including login credentials and other user account information. Of which, 300,000 – 350,000 were validated to be Spotify accounts.

The researchers discovered the treasure trove during a web mapping project involving port scanning to detect various IP vulnerabilities. The database was unsecured and unencrypted, thus easily accessible and readily usable by anybody with access to the Internet and knew where to look.

Javvad Malik, a Security Awareness Advocate at KnowBe4, noted that “criminals don’t need sophisticated technical hacking abilities to compromise accounts. Rather, they can take advantage of lax security practices on behalf of users.”

After the initial discovery in July, vpnMentor researchers contacted the music streaming service and received an almost instant response. Spotify initiated the password reset process to protect its users’ accounts from further credential stuffing attacks. Consequently, the stolen “information on the database would be voided and become useless,” according to vpnMentor researchers.

The leaked database contained over 72 GB of data, including usernames and passwords, email addresses, and countries of residence. The data also had a flag indicating whether the stolen credentials could log into Spotify.

Spotify acknowledged the credential stuffing attack

vpnMentor suggested that “the hackers were possibly using login credentials stolen from another platform, app or website and using them to access Spotify accounts.” The music streaming subscription service clarified that the breach did not originate from its servers.

In addition, vpnMentor noted that the attackers could use the data for nefarious purposes other than credential stuffing. Attackers could use the leaked personally identifiable information (PII) to recognize Spotify users on social media to defraud them through online scams. They could use the stolen information to create personal profiles for identity theft.

According to Ameet Naik, PerimeterX security evangelist, hackers ran the credential stuffing attack to validate the credentials for automated account takeover attacks (ATO). Such attacks had increased by 72% from last year.

The success of credential stuffing attacks depends on users having poor password hygiene, such as weak passwords and reusing login credentials across multiple platforms.

Users could reduce the chances of success of a credential stuffing attack by using strong passwords, avoiding password reuse, and enabling multi-factor authentication.

Since remembering several strong passwords across numerous sites is challenging for most users, they could take advantage of password managers to centralize their login credentials. Password managers use one master password, thus saving the user from having to remember every password.

Bitglass CTO Anurag Kahol said that the Spotify credential stuffing attack resulted from common users’ poor password hygiene.

“A staggering 53% of consumers admit to reusing the same password across multiple sites, even knowing the risks associated,” Kahol said. “This poor password hygiene allows cybercriminals the opportunity and access to various accounts for the same individual across multiple services, rendering their digital footprint incredibly vulnerable as a result.”

He advised all consumers to “diversify their login credentials across different accounts in order to mitigate the chances of their account being hijacked.”

He added that companies should track and react towards suspicious logins. Additionally, they should also implement multi-factor authentication mechanisms that prevent illegal logins from succeeding.

Similarly, companies should maintain “visibility and control over their customer data” to prevent data breaches, according to the Bitglass CTO.

“To do so, organizations must implement security solutions that remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information,” Kahol concluded.

Keith Neilson, Technical Evangelist at CloudSphere, had similar opinions regarding the Spotify credential stuffing attack.

“To minimize the attack surface and prevent hackers from abusing personal data, businesses should invest in a platform with complete visibility into the cloud environment, and real-time security posture monitoring to minimize the cloud attack surface and ensure data does not end up in the wrong hands,” Nelson says. “With the ability to remediate gaps in security in real-time, businesses can operate without fear of putting customer data in jeopardy.”