Different media have echoed that personal data and login of more than 350,000 users from Spotify have been hacked into a large 72GB database, with more than 38 million data, which has been exposed on the Internet, according to investigations carried out by the vpnMentor company.
350,000 Spotify users affected
Hackers have “unintentionally” exposed 350,000 users’ access data to the Spotify platform, including their passwords, because after stealing them they stored them on a server in an insecure way. That is, the hackers have been hacked. Leaving the “humor” aside, the passwords have not been directly stolen from Spotify or filtered from its own service, so on the part of the platform we can rest assured.
They were actually obtained by a technique called “stuffing.” As users often share passwords between services, cybercriminals used databases from previous leaks and tested whether they worked on Spotify, with success in a large number of cases.
The simplicity of passwords: the key to everything
This finding has been discovered by vpnMentor cybersecurity researchers Ran Locar and Noam Rotem, as reported in the company’s official blog, who noticed the unprotected database while conducting a search for insecure data on the Internet.
The data is believed to have been obtained through a technique called “credential stuffing” which in Spanish means “credential filling” and consists of taking email names and passwords from other platforms, applications or websites that have already been exposed on the Internet, and that hackers try until they find the ones that match the initial ones session on Spotify.
Although it may seem like an arduous task for hackers, it is not so hard, because many users repeat or “reuse” the same password for different online services. That is why it is always recommended to change them regularly and not use the same password for different online platforms, because if one is exposed, the rest of the services would also be compromised.
Spotify reacted quickly
Spotify, after receiving the researchers’ notice, reset the accounts of the affected users, forcing them to modify their access credentials. However, they are exposed to potential hacks from other services, such as social networks, if they have repeated passwords, and even to fraud attempts through ‘phishing’.
Remember that you must have a secure password
Seeing how weak the most common password of 2020 is, it is clear that there is much to raise awareness at the level of online security, and this Spotify incident is a new example. In principle, if we have not received an email from Spotify, our account is safe, but we should not trust ourselves.