VPNMentor’s research team has discovered a possible credential stuffing operation whose origins are unknown, but that affected some online users who also have Spotify accounts.
Credential stuffing is a hacking technique that takes advantage of weak passwords that consumers use — and often re-use — online.
Hackers have been attempting to gain access to Spotify accounts using a database of 380 million records with login credentials and personal information collected from various sources.
Many of the database records contained information about potential Spotify users, such as their Personally Identifiable Information (PII) data and Spotify login credentials.
This included:
- Account usernames and passwords verified on Spotify
- Email addresses
- Countries of residence
There were also numerous server IP addresses exposed in the leak. However, these were most likely from proxy servers belonging to the operators of the network on which the database was hosted.
The database contained over 72 GB of data, totaling 380+ million individual records, and was hosted on an unsecured Elasticsearch server. The origins of the database and how the fraudsters were targeting Spotify are both unknown. The hackers were possibly using login credentials stolen from another platform, app, or website, and using them to access Spotify accounts.
Spotify is probably the most popular music and audio media streaming service in the world, with over 299 million active monthly users in 2020.
The company was founded in Stockholm, Sweden, in 2006, and the first version of the Spotify app launched two years later, with 60 million songs available for streaming, and has grown rapidly in the years since.
Spotify went public in April 2018, skipping a traditional IPO and making a direct listing on the New York Stock Exchange. The company’s stock price has recently surged, doubling in value since March 2020, most likely due to increased engagement from listeners stuck at home while under lockdown.
