According to vpnMentor researchers, an Elasticsearch database with over 380 million records – including login credentials – was used to target Spotify accounts. While the origin and owners of the leaked database are unknown, researchers are speculating that hackers may have collected the private information from previously-breached platforms, using it in “credential-stuffing” attacks against Spotify users.
“The incident didn’t originate from Spotify,” the researchers explained. “The exposed database belonged to a 3rd party that was using it to store Spotify login credentials. These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify.”
According to the researchers, the database allegedly contained over 72 GB of data, including verified Spotify usernames, passwords, email addresses and, in a few instances, IP addresses. However, those IP addresses are thought to have come from “proxy servers belonging to the operators of the network on which the database was hosted.” Researchers allegedly notified Spotify on July 9 of this year, which prompted the streaming giant to implement a mandatory password reset for all impacted users.
Experts say with any case of credential-stuffing attacks and/or data breaches, users should be extra cautious around phishing emails, which are sent to trick said users into exposing more personal or even financial information. It also becomes highly recommended to reset passwords for all online accounts that may share credentials with the impacted platform (in this case, Spotify).
“Fraudsters could use the exposed emails and names from the leak to identify users across other platforms and social media accounts,” the researchers added. “With this information, they could build complex profiles of users worldwide and target them for numerous forms of financial fraud and identity theft.”