Security experts from vpnMentor have uncovered a possible credential stuffing operation that affected some Spotify accounts. Threat actors behind the campaign are using a database containing over 380 million records, including login credentials and other data for Spotify accounts, likely amassed from various sources. Experts estimated that the number of impacted users ranges between 300,000 and 350,000.null

“The origins of the database and how the fraudsters were targeting Spotify are both unknown. The hackers were possibly using login credentials stolen from another platform, app, or website and using them to access Spotify accounts.” .

“Working with Spotify, we confirmed that the database belonged to a group or individual using it to defraud Spotify and its users. We also helped the company isolate the issue and ensure its customers were safe from attack.”

Credential stuffing attacks involve botnets to try stolen login credentials usually obtained through phishing attacks and data breaches. This kind of attacks is very efficient due to the bad habit of users of reusing the same password over multiple services.

The database is 72 GB in size, it includes 380+ million records containing email addresses and login credentials , and whether the credentials could successfully login to a Spotify account.

spotify credential stuffing

The exposed data could expose users to multiple malicious activities, including identity theft & fraud, scams, phishing and malware attacks, and of course account abuse.

Below the timeline shared by the researchers:

  • Date discovered: July 3rd, 2020 (reviewed on July 9th)
  • Date Spotify contacted: July 9th, 2020
  • Date of Response: July 9th, 2020
  • Date of Action: Between July 10th and July 21st

Spotify announced that it is forcing the password reset for all the impacted users. 

Let’s remind that Spotify does not support two-factor authentication for its users, this means hackers who have had access to the unsecured Elasticsearch DB discovered by vpnMentor may have had access to the Spotify accounts.