A team hacking managed to gain unauthorized access to 350.000 Spotify accounts on the service music streaming. To accomplish this, he used login credentials that had been stolen from others data breaches and of course enough patience on their part.
The success of the attack is largely due to the fact that the holders of Spotify accounts, reused the passwords from other accounts they had. So the hackers all they had to do was try combinations on Spotify, a technique known as credential stuffing.
The hackers, however, made a mistake, as they were the ones who exposed their activity, storing the files in an insecure database in cloud. This meant that anyone with a web browser could see them data without the need for a password.
Security investigators Ran Locar and Noam Rotem found the exposed files as part of a search, which scans the Internet for unsafe data. The researchers, who were looking for unsafe data, published their findings on the security website vpnMentor on Monday.
Locar and Rotem are not sure that the data was not discovered by someone else, as many are the ones who scan the internet for exposed data.
What users need to remember is that they should not reuse their passwords.
Stolen Spotify accounts could be rented to other users at a discount. They could also be used for "streaming manipulation", Which, as reported by Rolling Stone in 2019, is a major concern in the recording industry. Practice includes tuning accounts to music streaming services to amplify numbers for a song if one is willing to pay for such service.
Spotify has reset the password for the affected users, thus ending the usefulness of the stolen data. The company advises its customers to never re-use passwords and offers more tips for protecting their account security on its website.
Locar and Rotem also found IP address files, which they found may be related to proxy servers that criminals used to disguise their location while carrying out their activities. These details, along with the accounts of the exposed accounts, could help Spotify detect activity coming from the criminal ring.