According to vpnMentor’s research team, a possible credential stuffing operation whose origins are unknown, could have affected over 300k Spotify accounts
Criminal Hackers have been attempting to gain access to Spotify accounts using a database of 380 million records with login credentials and personal information collected from various sources.
“We unearthed an Elasticsearch database containing over 380 million records, including login credentials and other user data being validated against the Spotify service”, they reported.
“The origins of the database and how the fraudsters were targeting Spotify are both unknown. The hackers were possibly using login credentials stolen from another platform, app, or website and using them to access Spotify accounts”.
The Database
The incident didn’t originate from Spotify. The exposed database belonged to a 3rd party that was using it to store Spotify login credentials. These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify.
Early in their investigation, the researchers contacted Spotify to present their initial findings. Together, they concluded that whoever owned the database had probably obtained the login credentials from an external site and used them on Spotify accounts.
A common attack used to hack into accounts is called a credential stuffing attack, which is when threat actors make use of large collections of username/password combinations that were leaked in previous security breaches to gain access to user accounts on other online platforms.
What was leaked
Examples of Data Exposed
Many of the database records contained information about potential Spotify users, such as their Personally Identifiable Information (PII) data and Spotify login credentials.
This included:
- Account usernames and passwords verified on Spotify
- Email addresses
- Countries of residence
There were also numerous server IP addresses exposed in the leak. However, these were most likely from proxy servers belonging to the operators of the network on which the database was hosted.
The vpnMentor research team discovered the database as part of a huge web mapping project. The researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They examine each weakness for any data being leaked.
“Our team was able to access this database because it was completely unsecured and unencrypted”.
The fraudsters were using an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing schemata from a single index at any time.