Several hackers would have obtained access to over 300 thousand Spotify accounts using a database of 380 millions of records containing login credentials and personal information collected from various sources. For years, users have complained that their Spotify accounts were hacked and their passwords changed, new strangers added to family plans, or that the playlist list changed without any interaction or permission. And VPNMentor writes that he discovered the methods used by hackers .

In the new report the source describes in the I detail the methods used by cybercriminals to access hundreds of thousands of accounts from the database mentioned above, publicly available online and containing hundreds of millions of entries relating to user login credentials and other data. The database has been actively used to hack accounts for some time , with the source describing some of the methods used by malefactors to break into the defenses of the music streaming service.

A database from 380 millions of rumors used to hack Spotify accounts

One of the most commonly used attacks to hack accounts is through the so-called “credential stuffing” , that is, when threats make use of large collections of data leaked in previous security breaches on other online platforms. These collections contain in some cases the username and password combinations used on other services , but often users use – wrongly – the same credentials to access different online services.

In this way, using the stolen credentials on an “x” service (perhaps secured in the past with a change password), the hacker can access a “y” service with the same data simply by trying to use the first on the second service. Each database record described by VPNMentor contains a username (or specifically an email address), a password, and an entry outlining the chances of success if used to log in to Spotify.

It is not yet known how the 300 millions of entries of the database, but it is likely to be a collection of several previous breaches released on the web for free. Researchers believe records listed in the database allowed attackers to breach from 300 thousand to 350 thousand Spotify accounts . VPNMentor also contacted Spotify on July 9 regarding the exposed database and received a reply the same day.

Spotify initiated a “rolling reset” of passwords for all users involved, VPNMentor argues, so as a result the information in the database should now be out of date and ineffective. The company also reset passwords on all compromised accounts, but is expected to introduce more secure access modes to make these types of attacks much less effective. For example, Spotify does not yet support multi-factor authentication, despite being requested for long periods of time by a multitude of its users.