Personal and login details of more than 350,000 Spotify users were discovered in a large 72GB database of more than 38 million records made available on the vpnMentor company.
Users who repeat their passwords on various digital platforms are the target of cyber criminals using the technique of “filling in credentials”.
Researchers at this company found this information on an Elasticsearch search server where it was available and unencrypted for anyone to access. The cyber criminals who received it may have failed to protect the information.
It is assumed that the data was obtained by a Technique called “Credential Stuffing” This means “filling out credentials” in Spanish and it consists of taking email names and passwords from other platforms, applications, or websites that have already been made available on the internet and the hackers try until they find the ones that do match with the original session on Spotify.
While it may seem like a tedious task for hackers, it isn’t that difficult as many users repeat or “reuse” the same password for different online services. For this reason, it is always recommended to change them regularly and not to use the same password for different online platforms, as disclosure would also put the rest of the services at risk.
Information collected from Spotify users includes usernames, account passwords, email addresses, and countries of residence. Multiple IP addresses were even found, but these are believed to come from the network operator’s proxy servers that host the data.
Spotify was informed of what happened and You restored accounts and signed in of affected users. Additionally, he emailed them to change their credentials and recommended that they use a completely different password, not just from the previous one, but from other digital platforms that they have.
While it is difficult to control that a user is not repeating the same password in different accounts, Spotify has contacted its users through an email stating what happened and recommending not to repeat passwords.
For its part, VpnMentor has recommended that affected users access their accounts in other online services and change their login passwords immediately, as the data will still be available. He also recommended that when creating a password, using random key generators and password grading systems to determine the level of difficulty before using them for good.