Security researchers have found an unprotected database on the Internet in which criminals have collected the access data of over 300,000 Spotify users. The database apparently does not come from Spotify itself and is used for credential stuffing.
The two researchers Noam Rotem and Ran Locar work for the virtual private network website VPN Mentor. On July 3, 2020, you found the verified credentials of over 300,000 Spotify users – in an unprotected Elasticsearch database.
Elasticsearch is an open source search engine that searches and indexes documents of various formats. According to VPN Mentor, the perpetrators there kept their own database of around 72 gigabytes with 380 million entries openly online.
In a blog post, the researchers explain that the database did not come from Spotify itself. The criminals collected the data with so-called credential stuffing and created the list.
What is credential stuffing?
Credential stuffing is a method in which attackers try to log into other services with stolen credentials.
The perpetrators can use the stolen Spotify access data to attempt to log into social networks or other paid streaming services such as Netflix, for example. E-mail accounts and bank accounts are just as interesting.
They speculate that users will use the same credentials for multiple services and aim to make a profit with the hacked data.
How does credential stuffing work?
Attackers need four components for credential stuffing:
The computer programs try to log into one service after the other with the stolen login data. The sender IP address is changed again and again so that the destination server does not block the login attempts.
If the number of failed login attempts becomes too high, every well-configured server blocks the IP address. As soon as a login succeeds, the computer program accesses the data listed above and saves it for later purposes such as phishing attacks.
What else can attackers do with the stolen data?
Credential stuffing is a very successful attack method because many Internet users use the same credentials for different platforms and services.
The attackers could also use the Spotify access data, for example, to send fake invoices or to install malware.
In addition, the database could have been discovered and misused by third parties because it was unprotected on the network. VPN Mentor reported the case to Spotify six days after the discovery on July 9, 2020 and has now brought it public.
Spotify has already contacted affected users and asked them to change their login details.
How can I prevent credential stuffing?
Credential stuffing only works so well because many users use the same passwords over and over again. In addition, the Hasso Plattner Institute (HPI) published the most popular passwords among Germans in 2019 – and they were shockingly simple.
Passwords like “123456” are of course very easy to crack. If users then use it for multiple accounts, there is not much in the way of a credential stuffing attack.
It is therefore important to always use different access data for different platforms. The passwords can – if absolutely necessary – be collected in a small notebook or managed digitally with a password manager app.
This is how you protect yourself from credential stuffing. For additional security, you can also enable two-factor authentication if it is available.