Data leak exposes the passwords of thousands of Spotify users

Spotify users were notified of the possible exposure of their confidential data to an external business partner. Potentially compromised information includes data such as email addresses, usernames, passwords, and dates of birth.

This is the third security incident impacting the streaming platform in less than a month.

In a statement, the company’s representatives mentioned that the incident occurred due to a severe vulnerability in the platform that existed between April 9 and November 12, when it was finally corrected: “We have conducted an internal investigation in addition to contacting our business partners who could have accessed the compromised information. We want to make sure that this data has been completely deleted.”

La imagen tiene un atributo ALT vacío; su nombre de archivo es spotify15122020.jpg

Users were notified of this incident just a few days after the Spotify profiles of some of the world’s most popular artists were hacked by an individual identified as “Daniel”. To make matters worse, the incident coincided with the release of Spotify Wrapped, one of the platform’s most important campaigns.

As if that weren’t the case, by the end of November the company was addressing a massive credential stuffing campaign. In this attack, malicious hackers use passwords exposed in previous data breaches to attempt to access other online platforms for malicious purposes.

About the most recent incident, the company mentions that a small number of users were affected by a software bug that has already been fixed: “To mitigate the risks associated with the incident, we issued a password reset of the affected users. The security of our users’ information is one of our priorities, we take these obligations very seriously,” the company’s report states.

This incident has already been addressed, although this is not always the case. Kacey Clark, a cybersecurity specialist, mentions that these are exactly the occasions every malicious hacker wants to encounter: “Attackers can take control of any of these platforms using simple hacking tools. These automated scripts are used to abuse login systems to force access,” she says.