350.000 Spotify accounts targeted by hackers
Up to 350.000 Spotify accounts have fallen prey to hackers who crack them using weak passwords. This has been revealed by security researchers from the Israeli website VPNMentor.
Although the music streaming service itself was not hacked, the researchers found an unprotected online database containing approximately 380 million individual records / These were likely stolen during old data breaches or phishing attacks and not directly related to Spotify. But they offer hackers a torrent of passwords and credentials that allow them to carry out cyber attacks.
The database owner used the records to perform "credential stuffing" attacks, by trying out passwords, usernames, and/or email addresses (Spotify lets you use both) to access accounts on multiple online services.
Spotify was notified of the situation by the VPNMentor researchers in early July and quickly forced all affected users to reset their passwords. However, those users are still vulnerable to attacks with credentials on other services that could compromise their old Spotify credentials. passwords are reused.
What can you do
If you're a Spotify user and you've used the same set of credentials — a password plus a username and/or an email address — for other accounts, you should immediately change the passwords for those accounts. Make sure each new password is long, strong, and unique. You also have to bug Spotify to offer two-factor authentication (2FA) as a security option to prevent exactly this kind of account takeover.
Without the “second” factor – an SMS code, an app-generated code, a specific smartphone, or a physical security key – an attacker cannot gain access to your account, even with your password. Most of the well-known online services already offer 2FA, and it's time for Spotify to join them.
Other risks
In the database, Spotify users could also be vulnerable to phishing attacks and even identity theft, the VPNMentor researchers warned.
Fraudsters could use the exposed emails and names from the leak to identify users on other platforms and social media accounts, the report said. Fraudsters could also use the contact information to directly target exposed users with phishing emails, trick them into providing sensitive information such as credit card details, or click on a fake link embedded with malware.
Of course, that's the case when there's a major data breach where credentials are revealed. Pretty much everyone who has ever had an online account has exposed something. You can view your own email addresses and passwords on the (safe to use) website HaveIBeenPwned.
How can you make sure this doesn't happen again
Credential stuffing generally only works because most people use the same password for more than one account, or use simple, generic passwords that are easy to guess.
If the password, username, and/or email associated with just one of those accounts is exposed to a data breach or phishing attack, then all accounts using that credentials will be accessible, no matter how strong the password is. also is.
Filling in credentials is not really a hack as the attacker already has the “keys” and is using the login software as designed. Instead, you made it easier for the attacker by using the same set of keys for more than one account.
Reusing passwords is like having a single key to your house, your car, your office, and your home safe. Using one of the top 10.000 or so most commonly used passwords is like having an empty key. Once someone gets a copy of that key, it's actually too late. Therefore, always use different passwords.
