Spotify has reset the passwords of 350,000 accounts, after researchers found a database online containing 380 million records that included login credentials for the music streaming service.

Spotify Targeted in Credential Stuffing Scheme

The research team at vpnMentor, led by Noam Rotem and Ran Locar, claims to have discovered a possible credential stuffing operation.

Credential stuffing is where username and passwords are obtained from a leak and then used to gain access to other accounts that reuse the same details.

During a web mapping project, the research team came across an Elasticsearch database that contained over 380 million records and totaled 32 GB. Within were login credentials that were being validated against Spotify.

The specifics of the hacking operation are unknown. The origins of the database and how Spotify was targeted remain a mystery. Nonetheless, the leak does come from a third party that hadn't encrypted the data, rather than Spotify itself.

Spotify Resets User Passwords

vpnMentor discovered the leak on July 3, 2020 and then reviewed it further on July 9, 2020. The reason for this delay is that the researchers need to understand the breach and its potential impact, along with producing a report that can be understood by everyone who reads it.

After the leak had been reviewed, the research team contacted Spotify on the same day. Spotify responded, then took action between July 10 and July 21, 2020.

That involved resetting the passwords of up to 350,000 users. While that may be a drop in the ocean compared to Spotify's 320 million monthly active users, it's still a substantial amount of people.

The type of information contained within the database included email addresses, passwords, and countries of residence.

Server IP addresses were also included in the leak, though vpnMentor note that these are likely from proxy servers that the database was hosted on, rather than individual users.

How You Can Protect Yourself

The reason these accounts were at risk is that they used simple or repetitive passwords across multiple services.

For example, one record from the database shows that someone had "spotify" as their password. It doesn't take a genius to figure out why this might be insecure.

You should always use a unique password for every single website. A password manager can help you maintain this so you don't need to rely on your memory.

At the very least, ensure you have long passwords that don't contain simple words, vary in upper and lower case, contain special characters, and don't include information about yourself.