Researchers from vpnMentor uncovered a possible credential stuffing operation that affected some Spotify accounts. The scheme was discovered after the researchers came across an Elasticsearch database containing over 380 million records, including login credentials and other user data collected from various sources, which the hackers were using to gain access to Spotify accounts. vpnMentor estimates that the number of impacted users ranges between 300,000 - 350,000.
Credential stuffing is a hacking technique that takes advantage of weak passwords that consumers use (and often re-use) online.
“In this case, the incident didn’t originate from Spotify. The exposed database belonged to a 3rd party that was using it to store Spotify login credentials. These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify,” the researchers said.
It is not clear, who is behind the campaign or how the fraudsters were targeting Spotify.
The discovered database included 380 million records, with each record containing login name (email address), a password, and whether the credentials could successfully login to a Spotify account.
After the researchers contacted Spotify over the issue, the company initiated a ‘rolling reset’ of passwords for all users affected.
“As a result, the information on the database would be voided and become useless,” vpnMentor said.