Over 300,000 thousand Spotify users may have had their data exposed and experienced disruption to their account during a credential stuffing attack in July this year. Up to 350,000 accounts were affected, according to Spotify, as attackers attempted to use login credentials stolen from elsewhere to gain access to their data and account information.
Credential stuffing attacks are designed to exploit users who use the same password for multiple accounts online, gaining access illegally to a set of login credentials and then using automated scripts to attempt to hack other accounts with the same information.
This particular attack used a stolen database containing over 380 million records, including login credentials and other user account information, of which over 300,000 were confirmed to be Spotify accounts.
VpnMentor researchers found this extraordinary trove of data during a web mapping project designed to uncover various IP vulnerabilities. The database itself was fully accessible - unsecured and unencrypted - meaning that anyone with an internet connection who knew where to look would be able to use it.
This shows that while the image of the cybercriminal is one of a tech genius hunched over a computer screen, using extraordinary skill to sneak through defenses, the reality is something else entirely. Javvad Malik, a Security Awareness Advocate at KnowBe4, said: “criminals don’t need sophisticated abilities to compromise accounts. Rather, they can take advantage of lax security practices on behalf of users”.
After first coming across the database in July, vpnMentor researchers got in touch with Spotify to find out what action was being taken. Spotify responded swiftly, initiating a password reset process to lockdown affected accounts, making the exposed data out-of-date, irrelevant, and useless.
The researchers suggested that the attackers were potentially using credentials acquired from another platform and using them to gain access to Spotify accounts. Spotify confirmed that the leak did not come from its servers. The database itself contained over 72 GB of data, as well as flags showing whether the login information could be used to access Spotify or not.
Of course, this sort of easily accessible data isn’t just useful for credential stuffing. Bad actors with access to these credentials and personal information would be able to steal identities and commit fraud online and on social media. There are all sorts of scams that work using stolen personal information as well as the ability to set up fake social media accounts.
Credential stuffing attacks are all about users not protecting themselves properly and not following best practices for personal hygiene online. Using weak passwords and recycling login details across accounts creates conditions that make it easy for cybercriminals to thrive.
Bitglass CTO Anurag Kahol commented in the wake of the attack: “A staggering 53% of consumers admit to reusing the same password across multiple sites, even knowing the risks associated. This poor password hygiene allows cybercriminals the opportunity and access to various accounts for the same individual across multiple services, rendering their digital footprint incredibly vulnerable as a result.”
He went on to advise all online consumers to do everything they can to prevent their accounts from being hacked and to mitigate the results of a successful attack.
Reducing the efficacy of credential stuffing attacks is not such a hard task. Using strong passwords, avoiding using the same passwords over and over, and enabling multi-factor authentication all make a huge difference. Using a password manager is a great way to avoid the complication of remembering multiple passwords across a range of sites.
Kahol also indicated that companies could do more to protect their customers, particularly when it comes to maintaining visibility and control over their data. He concluded that: “organizations must implement security solutions that remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information”.
Keith Neilson of CloudSphere was of the same opinion, stating: “To minimize the attack surface and prevent hackers from abusing personal data, businesses should invest in a platform with complete visibility into the cloud environment, and real-time security posture monitoring to minimize the cloud attack surface and ensure data does not end up in the wrong hands”.
This is not the first credential stuffing attack that has gained access to significant amounts of data. In 2019 in the UK, Deliveroo users’ credentials were exposed by a similar attack, with the hackers placing orders on their behalf resulting in significant personal financial losses.
Credential stuffing highlights how important maintaining good personal hygiene online is. Staying safe in the digital world is all about maintaining constant vigilance and following best practices at all times to make it as difficult as possible for bad actors to work.