The new compilation of Spotify usernames/password combinations has appeared online. It’s the second time a credential stuffing attack has been aimed at the music streaming site in three-months. Many users who were impacted by the Spotify hack were emailed to reset their passwords. The best way to avoid these credential stuffing attacks is never to reuse passwords.
Cybercriminals download these massive database leaks to comb through them to find valid accounts. Spotify accounts with a valid login are then bundled and ‘sold’ on the dark web for a few bucks an account. If you’ve ever had weird music appear in your playlist – someone else may be using your account. A cursory search of ‘Spotify hacker’ on Twitter showcases how common the issue of reused passwords really is.
“Someone hacked my Spotify, and I completely lost control of being able to select songs. I kept getting overridden by the hacker picking out Russian music. Removing all devices and changing multiple passwords did nothing to resolve the issue – absolutely nuts and kind of freaky,” writes one user on Twitter.
This kind of attack is nothing new, and all Spotify can do is reset passwords for affected accounts. In November, some users received password reset emails for this very issue. Researcher Bob Diachenko discovered this latest Spotify attack yesterday.
“I have uncovered a malicious Spotify logger database, with 100K account details (leaked elsewhere online) being misused and compromised as part of a credential stuffing attack,” Diachenko tweeted. Spotify directly addressed the researchers’ disclosure via a notice on Twitter.
“We recently protected some of our users against [a credential-stuffing attack],” the notice reads. “Once we became aware of the situation, we issued password resets to all impacted users, which rendered the public credentials invalid. We also worked to have the fraudulent database taken down by the ISP hosting it,” a Spotify spokesperson confirms.
Also Read: Amazon stole tips money from drivers
The incident in November involved a misconfigured database with over 380 million individual records. Those records included login credentials for hundreds of thousands of Spotify users. Diachenko says this second leak appears to be from a rival group of hackers.
Compromised accounts can be used to built botnets that shadow play music over and over. Thousands of fake plays generated by these compromised accounts could severely impact Spotify’s ecosystem. Always use a unique password for any of your music streaming services.