Spotify has alerted users that some of their registration data was inadvertently exposed to a third-party business partner, including emails addresses, preferred display names, passwords, gender and dates of birth. This is at least the third breach in less than a month for the world’s largest streaming service.
A statement from Spotify about the incident said the exposure was due to a software vulnerability that existed from April 9 until Nov. 12 when it was corrected.
“We take any loss of personal information very seriously and are taking steps to help protect you and your personal information,” the statement, released Dec. 9, read. “We have conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted.”
The announcement comes just a handful days after some of the streaming service’s most popular stars pages were taken over by a malicious actor named “Daniel” who used hijacked Spotify artist pages, including Dua Lipa and Pop Smoke, to proclaim his love of Trump and Taylor Swift. The incident during its highly publicized year-end Spotify Wrapped 2020 announcement of the year’s most popular streams.
Just a week prior to that incident, in late November, Spotfiy was on the receiving end of a rash of account takeovers following a credential-stuffing operation. In this type of attack, threat actors bet on people reusing passwords; they try stolen passwords and IDs on different services to gain access to a range of accounts.
Researchers at vpnMentor found an open and vulnerable Elasticsearch database with more than 380 Spotify user records, including login credentials.
“The exposed database belonged to a third party that was using it to store Spotify login credentials,” the firm said. “These credentials were most likely obtained illegally or potentially leaked from other sources.”
At the time of that breach, Spotify initiated rolling password resets, leaving the database useless.
Spotify & Credential Stuffing
Now Spotify’s user data has been exposed again.
“A very small subset of Spotify users was impacted by a software bug, which has now been fixed and addressed.” A statement from a Spotify spokesperson to Threatpost read. “Protecting our users’ privacy and maintaining their trust are top priorities at Spotify. To address this issue, we issued a password reset to impacted users. We take these obligations extremely seriously.”
The company urges users to update passwords for other accounts tied to the same email account.
“Again, while we are not aware of any unauthorized use of your personal information, as a precautionary measure, we encourage you to remain vigilant by monitoring your account closely,” Spotify’s statement added. “If you detect any suspicious activity on your Spotify account, you should promptly notify us.”
Kacey Clark, threat researcher with Digital Shadows, told Threatpost that these types of basic data theft are exactly what malicious actors need to launch a credential-stuffing attacks.
“Brute-force, cracking tools and account checkers are the cornerstones of many account takeover operations, reliably enabling attackers to get their hands on even more of your data.” Clark explained to Threatpost. “They’re automated scripts or programs applied to a login system ― whether it’s associated with an API or website ― to access a user’s account.”
Once they’re in, there’s little limit to the amount of damage account hackers could potentially inflict on victims.
“Criminal operations using brute-force cracking tools or account checkers may also take advantage of IP addresses, VPN services, botnets or proxies to maintain anonymity or improve the likelihood of accessing an account,” Clark added. “Once they’re in, they can use the account for malicious purposes or extract all of its data (potentially including payment-card details or personally identifiable information) to monetize it.”
She punctuated the point with Digital Shadows’ research findings that streaming services accounted for 13 percent of the accounts listed on criminal marketplaces.
“In the end, would you rather pay $10 a month for yet another streaming service, or pay $5 for lifetime access?” she asked.
Streaming Services Targeted
Media and streaming services are well-known targets of credential-stuffing attacks. Akamai recently identified the risk of credential-stuffing attacks for content providers like Spotify.
“Hackers are very attracted to the high profile and value of online streaming services,” according to the firm. In Akamai’s most recent report on the state of media-industry security, it found that a full 20 percent of the observed 88 billion credential-stuffing attacks over the past year were aimed at media companies.
“As long as we have usernames and passwords, we’re going to have criminals trying to compromise them and exploit valuable information,” Akamai researcher Steve Ragan explained. “Password-sharing and recycling are easily the two largest contributing factors in credential-stuffing attacks.”
And while good password protections are a smart way for consumers to protect their data, Ragan stressed it’s businesses that need to take proactive steps to boost security and maintain consumer trust.
“While educating consumers on good credential hygiene is critical to combating these attacks, it’s up to businesses to deploy stronger authentication methods and identify the right mix of technology, policies and expertise that can help protect customers without adversely impacting the user experience.”
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, Israel Barak, CISO at Cybereason and Limor Kessem, Executive Security Advisor at IBM Security on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.