350.000 Spotify accounts targeted by hackers
Up to 350.000 Spotify accounts have fallen prey to hackers who crack them using weak passwords. Security researchers from the Israeli website VPNMentor revealed this. Although the music streaming service itself has not been hacked, researchers found an unprotected online database containing approximately 380 million individual records. These were likely stolen during old data breaches or phishing attacks and not directly related to Spotify. But they offer hackers a torrent of passwords and credentials that allow them to carry out cyber attacks. The database owner used the records to conduct “credential stuffing” attacks, by trying to access passwords, usernames, and/or email addresses (Spotify lets you use both) to access accounts on multiple online services. Spotify was alerted to the situation by VPNMentor researchers in early July and quickly forced all affected users to reset their passwords. However, those users are still vulnerable to credential attacks on other services that compromise their old Spotify credentials. passwords have been reused.
What can you do
If you're a Spotify user and you've been using the same set of login credentials—a password plus a username and/or email address—for other accounts, you should change the passwords for those accounts immediately. Make sure each new password is long, strong, and unique. You should also urge Spotify to offer two-factor authentication (2FA) as a security option to prevent exactly this kind of account takeover. Without the "second" factor—a text message code, an app-generated code, a specific smartphone, or a physical security key—an attacker can't access your account, even with your password. Most well-known online services already offer 2FA, and it's time for Spotify to join them.
Other risks
The database could also leave Spotify users vulnerable to phishing attacks and even identity theft, VPNMentor researchers warned. "Fraudsters could use the exposed emails and names from the breach to identify users on other platforms and social media accounts," the report said. "Fraudsters could also use the contact information to directly target the exposed users with phishing emails, tricking them into providing sensitive data like credit card information, or clicking on a fake link embedded with malware." This, of course, is the case when a major data breach exposes login credentials. Virtually everyone who has ever had an online account has had something exposed. You can view your own email addresses and passwords on the (safe to use) website HaveIBeenPwned.
How can you make sure this doesn't happen again
Credential stuffing generally only works because most people use the same password for more than one account, or use simple, common passwords that can be easily guessed. If the password, username, and/or email address associated with just one of those accounts is exposed to a data breach or phishing attack, then all accounts using those credentials will be accessible, no matter how strong the password also is. Credential stuffing isn't really a hack since the attacker already has the "keys" and is using the login software as it was designed. Instead, you made it easier for the attacker by using the same set of keys for more than one account. Reusing passwords is like having a single key for your house, your car, your office, and your home safe. Using one of the top 10.000 or so most commonly used passwords is like having a blank key. As soon as someone gets a copy of that key, you are already too late. Therefore, always use different passwords.