Hackers used credential-stuffing trick to access 350,000 Spotify accounts

Hackers used credential-stuffing trick to access 350,000 Spotify accounts

Expired TLS cert resulted in hour-long Spotify outage

Security researchers recently discovered a massive misconfigured Elasticsearch database that was being used by fraudsters to gain access to the accounts of up to 350,000 Spotify accounts by using login credentials stolen in other data breaches.

Security researchers Noam Rotem and Ran Locar from vpnMentor’s research team recently discovered a 72GB Elasticsearch database that contained “over 380 million records, including login credentials and other user data being validated against the Spotify service.”

Working with Spotify, the researchers learned that the publicly-accessible database belonged to a team of fraudsters who were trying to defraud Spotify and its users. The fraudsters stored millions of login credentials obtained from other data breaches in the database and used the credentials to access between 300,000 and 350,000 user accounts.

Noting that the fraudsters were trying to use the credential-stuffing trick to gain access to the accounts of hundreds of thousands of its users, Spotify initiated a ‘rolling reset’ of passwords for all users affected so that the fraudsters could no longer use stolen credentials to access user accounts.

The trick used by fraudsters could have succeeded had the fraudsters secured the Elasticsearch database. However, the fraudsters failed to secure the database with a password, thanks to which it was discovered by vpnMentor’s research team in July.

Notwithstanding the error on part of fraudsters, the incident demonstrates how simple it can be for malicious actors to infiltrate people’s online accounts by exploiting the fact that many people are still reusing the same password across multiple online accounts for the sake of convenience.

This is why, says Javvad Malik, security awareness advocate at KnowBe4, it’s important that users understand the importance of choosing unique and strong passwords across their accounts and where available enable and use MFA. That way, even if an account is compromised, it won’t be possible for attackers to use those credentials to breach other accounts.

According to Niamh Muldoon, OneLogin’s Senior Director of Trust and Security, this is a great example of why single authentication mechanisms are so weak. It can be hard for individuals to remember all the accounts they hold and to keep up-to-date with every data breach that is happening. Therefore, organisations should enable their end-users to be as security first and conscious as possible.

“An easy way for organisations to do this is by streamlining access via a single sign-on platform, securing their access via two-factor authentication to protect them against risks like the Spotify end-users experienced,” she said.

This is certainly not the first time that hackers have employed credential stuffing to gain access to a large number of online accounts. In early 2019, fraudsters carried out credential-stuffing attacks to gain access to accounts of Deliveroo users and placed orders on their behalf, thereby inflicting losses of hundreds, sometimes thousands, of pounds to Deliveroo’s customers.

In response, a Deliveroo spokesperson told The New Statesman that the company did protect customers’ personal and financial data using encryption and hashing but the hijacking of customer accounts was not because of any flaws in its security but because customers used the same password for different accounts and fell victim to credential-stuffing attacks.

ALSO READ: Expired TLS cert resulted in hour-long Spotify outage

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]