Security researchers have found an unprotected database on the Internet where criminals have collected the credentials of over 300.000 Spotify users. The database does not appear to be from Spotify itself and is used for credential stuffing.

The two researchers Noam Rotem and Ran Locar work for the virtual private network website VPN Mentor. They found the verified credentials of over 300.000 Spotify users on July 3, 2020 – in an unprotected Elasticsearch database.

Elasticsearch is an open source search engine that searches and indexes documents of various formats. According to VPN Mentor, the perpetrators there have kept their own, approximately 72 gigabyte database with 380 million entries open on the net.

In a blog entry, the researchers explain that the database is not from Spotify itself. The criminals had collected the data with so-called credential stuffing and created the list.

What is Credential Stuffing?

Credential stuffing is a method by which attackers use stolen credentials to attempt to log into other services.

The perpetrators can use the stolen Spotify credentials to attempt to log in to social networks or other paid streaming services such as Netflix. E-mail accounts and bank accounts are equally interesting.

They are speculating that users will use the same login credentials for multiple services, with the goal of making a profit from the hacked data.

How does Credential Stuffing work?

Attackers need four components to use credential stuffing:

  • stolen login data
  • popular online services they want to attack
  • a technique to use different IP addresses as senders
  • a computer program that automatically attempts to log in to the online services

The computer programs try to log in to one service after another with the stolen login data. The sender’s IP address is changed repeatedly to prevent the target server from blocking the login attempts.

If the number of failed login attempts becomes too high, any well-configured server will block the IP address. Once a login is successful, the computer program retrieves the above data and stores it for later use, such as phishing attacks.

What else can attackers do with the stolen data?

Credential stuffing is a very successful attack method because many Internet users use the same login data for different platforms and services.

Attackers could also use the Spotify credentials to send fake invoices or install malicious software.

In addition, the database could have been discovered and misused by third parties because it was found unprotected on the network. VPN Mentor reported the case to Spotify on July 9, 2020, six days after its discovery and has now brought it to public attention.

Spotify has already contacted affected users and asked them to change their login information.

How can I prevent credential stuffing?

Credential stuffing only works so well because many users use the same passwords over and over again. In addition, the Hasso Plattner Institute (HPI) published the most popular passwords of the Germans in 2019 – and they were frighteningly simple.

Passwords like “123456” are of course very easy to crack. If users then use them for several accounts, there’s not much more to prevent a credential stuffing attack.

It is therefore important to always use different access data for different platforms. The passwords can be collected – if absolutely necessary – in a small booklet or managed digitally with a password manager app.

This way you protect yourself from credential stuffing. For additional security, you can also enable two-factor authentication if it is available.