Spotify Hit With Another Credential-Stuffing AttackSpotify Hit With Another Credential-Stuffing Attack
This marks the second credential-stuffing attack to hit the streaming platform in the last few months.
February 6, 2021
Spotify suffered a credential-stuffing attack that used stolen credentials from some 100,000 user accounts, a security researcher discovered.
This is the second credential-stuffing attack to affect the music platform in the past couple of months. Last November, 300,000 accounts were affected when an Elasticsearch database containing more than 380 million records and login credentials was used to target Spotify accounts. It's believed this data was collected from previously breached platforms, researchers said at the time.
Security researcher Bob Diachenko says in the latest incident, the attackers tried to use a malicious Spotify logger database. He identified a database containing more than 100,000 account details, likely leaked from somewhere else, that attackers used to target Spotify user accounts.
The attack was reported to Spotify, which issued a password reset to affected users that rendered the public credentials invalid. The company says in a statement it also worked to have the fraudulent database taken down by its Internet service provider, and notes this attack was not linked to a breach in Spotify's security.
Users are advised to choose unique passwords for online services. In a blog post, security firm Bitdefender notes it doesn't matter much if users choose a complex password, if that password is reused across websites.
Read Bitdefender's blog post for more details.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
What Ransomware Groups Look for in Enterprise Victims
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Everything You Need to Know About DNS Attacks
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks