Spotify Suffers Second Credential-Stuffing Cyberattack in 3 Months

Spotify Suffers Second Credential-Stuffing Cyberattack in 3 Months

  • Spotify streaming music aficionados are in the crosshairs of yet another credential-stuffing cyberattack, just three months after the last one. The service has forced password resets for impacted users.
  • Cybercriminals carrying out credential-stuffing take advantage of people who reuse the same passwords across multiple online accounts.
  • In the first Spotify incident in November, researchers found a misconfigured and open Elasticsearch cloud database containing more than 380 million individual records, including login credentials and countries of residence for various people, all being actively being validated against Spotify accounts.
  • Compromised accounts could contain credit-card information, loyalty points that could be stolen or used, or physical shipping addresses.
  • Accounts can also contain information like birthdays, preferences (those Spotify playlists, for example) and other data that is ripe for abuse when it comes to developing social-engineering tricks for phishing attacks.

– Tara Seals | February 4, 2021