Spotify confirms new credential stuffing attack; reset your password immediately

Just a couple of months after the information security incident that affected thousands of Spotify users, the music streaming platform confirmed the detection of a new credential stuffing attack, which led to a massive reset of passwords as an emergency security measure. It should be noted that in a credential stuffing attack, the cybercriminals create software to try to automatically access online accounts using email addresses and passwords leaked in previous security incidents.

In mid-November 2020, a malicious hacking group tried to compromise the accounts of thousands of Spotify users via this attack variant. Although the incident was addressed immediately by Spotify security teams, the platform’s developers could not foresee that a new attack was on its way.

This week, cybersecurity specialist Bob Diachenko reported the finding of a new leaked database with more than 100,000 records belonging to Spotify users; Diachenko notified the company of its finding, which confirmed the authenticity of these records: “We recently implemented some security mechanisms to protect our users from a credential stuffing attack. By detecting the potential risk, we decided to reset the passwords of all potentially affected users, invalidating the leaked credentials,” the streaming platform mentioned.

Spotify security teams believe that both attacks share similar causes. In the November incident, investigators found a database in Elasticsearch with poor configuration; this database had more than 300 million records, including valid login credentials for Spotify accounts, the database was operated by a malicious third party.

This week’s attack is very similar, since the database used by hackers was also hosted in an Elasticsearch facility, Diachenko mentions. This information would have been collected from other security incidents.

While a Spotify account’s compromise may not have severe consequences for users, the real issues could come afterwards: “For those who use the same password on more than one online platform, stealing their Spotify login credentials could compromise their email accounts, social media, business platforms, and even online banking accounts” Diachenko adds. 

The researcher concludes by mentioning that the best way to protect ourselves against a potential credential stuffing attack is simply by using a unique password for each online platform under our control, as well as implementing additional protection mechanisms such as multi-factor authentication and one time security codes.