Security researchers from vpnMentor discovered an unsecured Elasticsearch database at the beginning of July this year, which contained access and other data from 300. 000 to 350.000 Users of the audio streaming service Spotify included. The Spotify team reacted promptly to the contact on July 9th and in the period between 10. and the 21. July a forced password change was made for all affected accounts.

The immediate risk of account access was banned promptly. In view of the details that have now been published in a blog entry, further precautionary measures appear advisable. At the same time, the incident shows that using one and the same password for multiple accounts is a bad idea.

“Credential Stuffing” instead of data leakage at Spotify In the blog entry at vpnMentor, the researchers emphasize that the data records discovered were not a leak caused by Spotify. Rather, the data probably came from one or more other unknown sources and were presumably tried out specifically and automatically at Spotify in the course of so-called credential stuffing attacks.

The result is then ultimately a database from – how the researchers were able to validate according to their own information – functioning Spotify credentials. In addition to combinations of e-mail addresses, user names and passwords, the data records would also have included information on the user’s place of residence / country. The blog entry does not provide information on whether the data was actually used to access individual Spotify accounts. It is also unclear whether other criminals could have tapped the data source or how long it was accessible.

Never use passwords more than once The fact that the criminal authors of the database were able to compile such a large number of access data is to a large extent also related to the common practice of many users to “recycle” user names and above all passwords or even to use them for several services in parallel . At Spotify, credential stuffing is further enhanced by the fact that an email address or a username can be entered when registering. Two-factor authentication options are not offered.

If you were asked to change your password by Spotify in July, you should now ensure that you also change passwords for other accounts that are used repeatedly. Increased vigilance against phishing attacks based on the data is also advisable. But even users who are not affected by the incident are well advised to take a critical look at the passwords they are using and, if necessary, to exchange them for better ones (and only used once!).

(ovw)