Spotify has initiated a 'rolling reset' of passwords for users who are believed to be affected by a credential stuffing hacking operation. The research team at vpnMentor shared the development in a blog post, that further states that an open database containing more than 380 million records including login credentials and other user data associated to Spotify was found unsecured. The origins of the database and how the fraudsters were targeting Spotify are both unknown. However, the vpnMentor report adds that hackers were likely using login credentials stolen from another platform, app, or website and using them to access Spotify accounts. Credential stuffing refers to the hacking technique that involves taking advantage of weak passwords that users use across multiple platforms.
At the moment, Spotify has not officially addressed the issue, though researchers suspect that roughly 350,000 users were impacted. The database containing Spotify users login credentials were discovered on July 3, and the music streaming company responded to the issue on July 9. Apart from login credentials, personal info like email addresses and countries of residence details were also exposed, therefore, posing a risk of a potential phishing scam. As a result, Spotify has started resetting passwords for user accounts that may have been compromised.
The vpnMentor's research team led by Noam Rotem and Ran Locar adds that both the company and Spotify concluded that whoever owned the database had probably obtained the login credentials from an external site and used them on Spotify accounts. "This is a common tactic used by cyber-criminals to access private accounts on popular platforms like Spotify, and something the company — like most online businesses — has dealt with in the past, given the pervasive use of weak passwords by so many consumers online," researchers said.
Spotify has over 299 million active monthly users and is one of the most popular music and audio streaming platform globally. The vpnMentor research team also cautions users who have used the Spotify password elsewhere to change it immediately to protect the account from being hacked.