Spotify: Password resets due to over 300,000 publicly available credentials


At the beginning of July this year, security researchers at vpnMentor discovered an unsecured Elasticsearch database that contained access and other data from 300,000 to 350,000 users of the audio streaming service Spotify. The Spotify team reacted promptly to the contact on July 9th and made a forced password change for all affected accounts between July 10th and 21st.

It is true that the immediate danger of account access was averted in a timely manner. In view of the details that have now been published in a blog entry, further precautionary measures appear advisable. At the same time, the incident shows in principle that using one and the same password for multiple accounts is a bad idea.

Im Blog entry at vpnMentor the researchers emphasize that the discovered data sets were not a leak caused by Spotify. Rather, the data probably came from one or more other unknown sources and was probably tried out in a targeted and automated manner at Spotify in the course of so-called credential stuffing attacks.

The result was ultimately a database made up of functioning Spotify credentials, as the researchers said they were able to validate. In addition to combinations of e-mail addresses, user names and passwords, the data records would also have included information on the user’s place of residence / country. The blog entry does not provide information on whether the data was actually used to access individual Spotify accounts. It is also unclear whether other criminals could have tapped the data source or how long it was accessible.

The fact that the criminal authors of the database were able to compile such a large number of access data is to a large extent also related to the common practice of many users to “recycle” user names and, above all, passwords or even to use them for several services in parallel. At Spotify, credential stuffing is further enhanced by the fact that an email address or a username can be entered when registering. Two-factor authentication options are not offered.

If you were asked to change your password by Spotify in July, you should now ensure that you also change passwords that are used repeatedly for other accounts. Increased vigilance against phishing attacks based on the data is also advisable. But users who are not affected by the incident are also well advised to take a critical look at the passwords they are using and, if necessary, to exchange them for better ones (and only used once!).


To home page