Up to 350,000 Spotify Users Targeted by Credential Stuffers
Spotify users have been targeted by credential stuffers in a massive attack campaign discovered by a team at vpnMentor on July 3. According to vpnMentor, the database contained hundreds of millions of user records and was hosted on a completely unsecured Easticsearch server. The database contained 72GB of information, including email addresses, usernames, passwords, countries of residence, and other personal information. Although there were roughly 380 million records, Spotify claims that only 300,000 – 350,000 users were directly affected.
The exposed database belonged to a third party who was using it to store stolen login credentials, likely obtained illegally or leaked for other sources. The third-party, which is remains unknown, was repurposing the data for credential stuffing attacks against Spotify. Spotify initiated a password reset for all of its users in an attempt to mitigate the risk before a serious cybersecurity incident occurred.