The research team at vpnMentor have discovered an open Elasticsearch database that contains over 380 million individual records, including login credentials and other user data, actively being validated against Spotify accounts.
The database contains more than 72 GB of data, including usernames and passwords of accounts verified on Spotify as well as email addresses and countries of residence.
According to the firm, the exposed database belonged to a third party that was using it to store Spotify login credentials. These credentials were most likely obtained illegally or leaked from other sources.
They also confirmed that the database belonged to a group or individual using it to defraud Spotify and its users.
As a response to it, Spotify initiated a rolling reset of passwords, to make the information in the database relatively useless. The attacks affected between 300,000 and 350,000 music-streamers, which accounts to a small fraction of the company’s user base of 299 million active monthly users.
However, the origins of the database and how the fraudsters were targeting Spotify are not known still. It is believed that the hackers were possibly using login credentials stolen from another platform, app or website and using them to access Spotify accounts.
The exposed database could also be used for more than credential-stuffing attacks on Spotify. The hackers can use the PII data exposed to identify Spotify users through their social media accounts, and more.
The exposed emails and names can be used from the leak to identify users across other platforms and social media accounts. Using this information, they could build complex profiles of users worldwide and target them for several forms of financial fraud and identity theft.
Hackers run credential-stuffing attacks to check the validity of these credentials against multiple services.
So, it is advised that any user who has reused a Spotify password on any other accounts must change it at the earliest.
Image Credits : Complex