A cybersecurity researcher disclosed a credential stuffing attack has been faced by Spotify, which occurred by utilizing stolen credentials of around 100,000 accounts of users. In the previous few months, this is the second credential stuffing attack that took place on a music platform.
Earlier in November 2020, an Elasticsearch database was utilized to target accounts of Spotify. The Elasticsearch database consisted of details and log-in credentials of over 380 million users and utilizing this database 300,000 user accounts were compromised.
Researchers, at the time of this previous attack, said that the data or information utilized must have been gathered from earlier data breaches. But this attack is, however, not occurred as a result of any data breach.
Threat actors involved in this credential stuffing attack utilized a Spotify logger database. The cybersecurity researcher, Bob Diachenko, recognized a database that had over 100,000 account details stored in it, which was utilized by attackers and was leaked by a different method, event, and platform.
As soon as Spotify was informed about the incident, the organization executed password resets for the compromised users that rendered the public credentials invalid. The company claimed that they took down the utilized database by contacting its Internet Service Provider.
Spotify stated, “Credential stuffing attacks are a common tactic used by bad actors attempting to gain access to private user accounts. Bad actors use usernames and passwords leaked in data beaches elsewhere online, which individuals re-used across their online accounts.”
The organization also said that “This incident was not the result of any breach of Spotify’s security. Once we became aware of the situation, we issued a password reset to all impacted users, which rendered the public credentials invalid, and worked to have the fraudulent database taken down by the ISP hosting it.”
Apparently, reusing the login credentials on other online platforms is the biggest factor that leads to such attacks.
Even if the user has set-up complex and strong passwords but has utilized the same password for other platforms, it may lead to credential stuffing attacks. It is suggested by many experts and specialists to select or set-up unique passwords for all online platforms.