Posted on November 25, 2020 at 2:36 PM
A recent report revealed that threat actors have compromised about 350,000 Spotify user accounts in a credential stuffing attack. They accessed the accounts remotely without even cracking Spotify’s system.
VpnMentor security researchers revealed that the attackers were successful because they used login details retrieved from previous data breaches. The hackers left the stolen data unencrypted and unsecured to give anyone with an internet connection the opportunity to access the data.
The hackers tried different usernames and password variations on the Spotify platform before finding a match. The act is known as credential stuffing, and it has become increasingly popular for threat actors to use this method to gain access to user details on several platforms.
Ran Locar and Noam Rotem are part of the research team at vpnMentor. They discovered that an Elastisearch database with more than 380 million records, with login credentials, was validated with the Spotify service. According to the researchers, the database was collected as part of a massive web-mapping project.
Researchers unknowingly left the database unsecured
The researchers made use of port scanning to pick an IP block and test many systems to look for vulnerabilities or weaknesses. Based on their research and scanning, the researchers discovered that the database was kept open and accessible to anyone, as it was entirely left unencrypted and unsecured.
That means they left them unsecured to give anyone with an internet connection access to the data. The action of the hackers to leave the data unsecured was not deliberate, which points to the fact that even hackers can sometimes be careless and forget the basics of cybersecurity.
The researchers also said neither the source of the database or the way the hackers were targeting Spotify was known. But they intimated that the hackers were probably utilizing login details stolen from another website, app, or platform to gain log into the Spotify accounts. But no one is sure about the main goal of the hackers.
“The hackers were possibly using login credentials stolen from another platform,” the researchers said.
But it is fully confirmed that the stolen database was stolen from another platform by a group or an individual, as the researchers worked with Spotify to confirm the database.
According to the report, the hacking issue was spotted by the researchers back in July. Within one week of discovering the attack, they contacted Spotify for quick investigation and action towards protecting users’ data and credentials.
Still, in July, the streaming service introduced a rolling password reset for all users to quickly change their password, which ultimately rendered the information on the stolen database useless.
The researchers said they couldn’t disclose the issue to the public because of security reasons. But now that Spotify has taken necessary steps to protect users’ data, it felt there is a need to disclose the attack, after Spotify’s approval.
Protecting accounts with more complex passwords
Security awareness advocate at KnowBe4 Javvad Malik, the incident is a good reminder that threat actors don’t need to use sophisticated or highly technical methods to compromise user accounts. They can simply profit from the lax security measures of some users, as is the case here.
The threat actors were able to have access to some user accounts because they were able to break into the user’s login by guessing their login credentials. According to Javvad, this is only possible when the user has weak passwords that can be easy to crack. As a result, security researchers are advising that users protect their accounts with complex passwords that won’t be easy for threat actors to guess or crack.
Users are particularly exposed when it comes to protecting their login credentials. Most times they either use reuse passwords from other sites or weak passwords, which put them at risk of credential stuffing attacks.
This makes it very important for users to know why they need to protect their accounts with tougher passwords that are too difficult to crack. If multi-factor authentication is available for their accounts, they should use it to give the accounts more solidity, security researchers advised.