Hackers hack 380 Million accounts of Spotify with the help of its Database. Spotify user credentials compiled by hackers found on unsecured database A database of Spotify Technology SA account details believed to have been compiled by hackers has been found on an unsecured database in a tale that combines not only hacking but also one of the most common forms of data exposure.

Hackers have been attempting to gain access to Spotify accounts using a database of 380 million records with login credentials and personal information collected from various sources.

Detailed today by researchers Noam Rotem and Ran Locar at vpnMentor, the 72-gigabyte database of 380 million records relating to an estimated 300,000 to 350,000 Spotify users was found on an unsecured Elasticsearch installation. The database included account usernames and passwords verified on Spotify, email addresses, and countries of residence.

For years, users have complained that their Spotify accounts were hacked after passwords were changed, new playlists would appear in their profiles, or their family accounts had strangers added from other countries.

Where the story takes a twist is that the database doesn’t belong to Spotify. The researchers, along with Spotify believe that the database was compiled by hackers possibly using login credentials stolen from another platform, app, or website that had been found to work on Spotify.

The process used here is known as credential stuffing. It involves hackers taking usernames and passwords stolen in one hack, then seeing if the credentials work on other sites and services given that users often reuse passwords across multiple sites.

The database was discovered on July 3. Spotify was contacted on July 9 with a response the same day. Between July 10 and July 21, Spotify initiated a “rolling reset” of passwords for all users affected meaning the database would be voided and become useless in terms of accessing Spotify accounts.

Although Spotify may have applied a forced password reset for users affected, the fact that the data in the database was likely stolen in another hack where users have reused credentials across multiple sites means that the affected users are still at risk of being hacked on other sites and services.


It is not known how the 300 million records were collected, but it is likely through data breaches or large “collections” of credentials that are commonly released by threat actors for free.The researchers believe that the 300 million records listed in the database allowed the attackers to breach 300,000 to 350,000 Spotify accounts.VPNMentor contacted Spotify on July 9th, 2020, about the exposed database and its threat to accounts and received a response on the same day.

“In response to our inquiry, Spotify initiated a ‘rolling reset’ of passwords for all users affected. As a result, the information on the database would be voided and become useless,” the researchers stated.

This may not be the first time account credentials from Spotify are known to have been compiled in this way. In 2016, hundreds of Spotify account records were posted to the website Pastebin with Spotify also saying that the credentials had not come from them.

“Hackers can profit enormously from credentials present in large database leaks such as these,” Ameet Naik, security evangelist at application protection firm PerimeterX Inc., told SiliconANGLE. “Since a large number of users reuse their passwords across multiple services, hackers run credential stuffing attacks to check the validity of these credentials against multiple services.”

These automated attacks, also known as Account Takeover, he added, are growing in size and scope, up 72% over the prior year. “Businesses need to protect their login pages from ATO attacks using bot management solutions,” he said. “Users must use strong, unique passwords on each service and use multi-factor authentication where possible.”Javvad Malik, security awareness advocate and security awareness training company KnowBe4 Inc., noted that the exposure illustrates that criminals don’t need sophisticated technical hacking abilities to compromise accounts, instead of taking advantage of lax security practices on behalf of users.

Leave a Reply

Your email address will not be published. Required fields are marked *