This week, the vpnMentor research team found out a credential stuffing operation that affects some online users who have Spotify accounts. Credential stuffing is a cyberattack where the hackers use the stolen account credentials consisting of usernames and/or email addresses and the passwords to fill into the login page of another digital service. Hackers use this technique because most people reuse the same username and passwords in multiple online accounts.
They said that the database contained over 380 million records, “including login credentials and other user data being validated against the Spotify service,”. According to them, the database does not belong to the music streaming service itself because its origins are unknown. Rather, the third party who created the database may have collected the records from other sources. The hacker can use this to hijack user accounts.
However, vpnMentor saw the database on July 3 and informed Spotify on July 9. Because of this, they initiated a rolling reset of the passwords of some users identified in the database. To prevent using the passwords and username combination in the credential stuffing.
Though it is just a little percentage of Spotify users, we should stay vigilant against this kind of attack. This is a lesson for us that we should not reuse passwords. That, we should practice frequently changing passwords to protect our data and to ensure that our accounts are safe.