Spotify resets user passwords after 300,000 user accounts leaked

Using a database of 380 million personal records, a hacker group has attempted to gain access to thousands of Spotify accounts. Hacking is the main problem that users of this music platform go through, as reports constantly appear about unauthorized login attempts, password changes or unusual recommendations.

The most common method for hacking a Spotify account (and other online platforms) is the credential stuffing attack, which involves using huge combinations of usernames and passwords to try to login to certain accounts. The security firm VPNMentor published a report on an exposed database with more than 300 million combinations used in an attack on Spotify.

According to experts, each record in this database contains a username (usually in the form of an email address), a password and its usefulness to successfully log into a Spotify account, as shown in the following screenshot:

La imagen tiene un atributo ALT vacío; su nombre de archivo es spotify24112020.jpg

Experts are still unaware of how this information was collected, although it is most likely the result of previous data breach incidents. In a first estimate of the incident, experts estimated that between 300 and 350 thousand accounts; experts reported the incident to Spotify, which has already spoken out.

“In response to this report, we have implemented a continuous reset of all affected users’ passwords; as a result the database’s information will become completely useless”, Spotify’s release states. The incident occurred a few months ago, so Spotify has been confirmed to mention that the reset was performed last July.

Spotify does not have the multi-factor authentication feature, which could increase user security. The platform needs to implement some mechanism to strengthen its security.