Spotify Suffers Second Credential-Stuffing Cyberattack in 3 Months

spotify cyberattack

As many as 100,000 of the music streaming service’s customers could face account takeover.

Spotify streaming music aficionados are in the crosshairs of yet another credential-stuffing cyberattack, just three months after the last one. The service has forced password resets for impacted users.

Cybercriminals carrying out credential-stuffing take advantage of people who reuse the same passwords across multiple online accounts. Attackers simply build automated scripts that systematically try stolen IDs and passwords (either gleaned from a breach of another company or website, or purchased online) against various types of accounts.

Cybercriminals have successfully leveraged the approach to steal data from various popular companies’ customers, including big names like the North Face, Dunkin Donuts (which was also hit twice in three months) and popular chicken-dinner chain Nando’s. And last year, FC Barcelona’s official Twitter account was hacked in an apparent credential-stuffing attack.

Replay: A Second Credential-Stuffing Attack for Spotify

Back in November, cybercriminals attacked hundreds of thousands of Spotify users utilizing this approach, prompting the streaming music service to issue password-reset notices.

Researcher Bob Diachenko tweeted about the new Spotify attack on Thursday: “I have uncovered a malicious #Spotify logger database, with 100K+ account details (leaked elsewhere online) being misused and compromised as part of a credential stuffing attack.”

He also posted a Spotify statement on the incident that confirmed the attack.

“We recently protected some of our users against [a credential-stuffing attack],” the notice read. “Once we became aware of the situation, we issued password resets to all impacted users, which rendered the public credentials invalid.”

The company also noted that the attacks were carried out using an ill-gotten set of data: “We worked to have the fraudulent database taken down by the ISP hosting it.”

Cybercriminals Misconfigure the Cloud Too

In the first Spotify incident in November, researchers found a misconfigured and open Elasticsearch cloud database containing more than 380 million individual records, including login credentials and countries of residence for various people, all being actively being validated against Spotify accounts. The database was owned by a malicious third party, researchers said at the time.

This second attack is very similar, with the log-in data also exposed in a public Elasticsearch instance.

“There are similarities but this one looks different, like coming from a rival group,” Diachenko tweeted. He told Threatpost via Twitter DM that the data sets were unique to this attack.

“Originally this data was exposed inside a misconfigured (thus publicly reachable) Elasticsearch cluster – most likely operated by the malicious actors themselves,” he said. “It contained entire logs of their operations, plus email/password pairs they used [for the attack].”

The data once again also was likely gleaned from prior breaches.

“I suppose that login pairs came from previously reported breaches or collections of data, so they just re-use them against Spotify accounts to become part of this automated process,” Diachenko said.

What Are the Dangers of Credential-Stuffing?

On the surface, a cybercriminal being able to log into someone’s Spotify account would seem to be more of a nuisance than anything else. Setting up rogue playlists, deleting saved songs or straight-up hijacking the ability to listen to music are some of the potential headaches.

However, there’s more to think about, Diachenko noted: For those who do reuse passwords, a validated Spotify log-in combo can simply be used to infiltrate other, higher-value accounts.

“Technically, it is not that dangerous if somebody breaks into your Spotify account (apart from moral part of course),” he said. “However, the worst-case scenario is that your details would be traded underground or even publicly (I know there are many eBay resellers to do that).”

Compromised accounts could contain credit-card information, loyalty points that could be stolen or used, or physical shipping addresses. And, accounts can also contain information like birthdays, preferences (those Spotify playlists, for example) and other data that is ripe for abuse when it comes to developing social-engineering tricks for phishing attacks.

To protect themselves from credential-stuffing attacks, users should enable multi-factor authentication (MFA) on their accounts and avoid using passwords more than once.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!


Suggested articles