Spotify suffered a credential-stuffing attack that used stolen credentials from some 100,000 user accounts, a security researcher discovered.
This is the second credential-stuffing attack to affect the music platform in the past couple of months. Last November, 300,000 accounts were affected when an Elasticsearch database containing more than 380 million records and login credentials was used to target Spotify accounts. It's believed this data was collected from previously breached platforms, researchers said at the time.
Security researcher Bob Diachenko says in the latest incident, the attackers tried to use a malicious Spotify logger database. He identified a database containing more than 100,000 account details, likely leaked from somewhere else, that attackers used to target Spotify user accounts.
The attack was reported to Spotify, which issued a password reset to affected users that rendered the public credentials invalid. The company says in a statement it also worked to have the fraudulent database taken down by its Internet service provider, and notes this attack was not linked to a breach in Spotify's security.
Users are advised to choose unique passwords for online services. In a blog post, security firm Bitdefender notes it doesn't matter much if users choose a complex password, if that password is reused across websites.
Read Bitdefender's blog post for more details.