Up to 350,000 Spotify accounts hacked in credential stuffing attacks

Up to 350,000 Spotify accounts hacked in credential stuffing attacks

This won’t be music to your ears – researchers spot an unsecured database replete with records used for an account hijacking spree



Researchers have found an unsecured internet-facing database containing over 380 million individual records, including login credentials that were leveraged for breaking into 300,000 to 350,000 Spotify accounts. The exposed records included a variety of sensitive information such as people’s usernames and passwords, email addresses, and countries of residence.


The treasure trove of data was stored on an unsecured Elasticsearch server that was uncovered by vpnMentor. Both the origin and owners of the database remain unknown. However, the researchers were able to validate the veracity of the data by contacting Spotify, which confirmed that the information had been used to defraud both the company and its users.


For context, credential stuffing is an automated account takeover attack during which cybercriminals leverage bots to hammer sites with login attempts using stolen access credentials from data breaches that occurred at other sites until they find the right combination of “old” access credentials and a new website and gain access. Usually applying some form of multi-factor authentication mitigates the chances of accounts being compromised, but Spotify doesn’t support the option.


The team contacted the Swedish audio streaming giant on July 9th and received an almost immediate response. Within a period of eleven days between July 10th and 21st, Spotify addressed the issue and deployed a rolling reset of passwords for all users affected by the issue.


“In this case, the incident didn’t originate from Spotify. The exposed database belonged to a 3rd party that was using it to store Spoti ..