Search This Blog

Showing posts with label Credential-Stuffing. Show all posts

Spotify Suffers Second Credential-Stuffing Cyberattack in 3 Months

 

Spotify, which has become a very popular online streaming music platform, is suffering from a second cyber credential attack after just three months of its previous one. The platform has reset the passwords of its affected customers. 

Threat actors have gained access to more than 100,000 subscribers of music streaming services and are taking advantage of those who use the same security password on multiple online service platforms. They simply build automated scripts that will systematically steal IDs and security passwords of many online accounts. 

Hackers have successfully managed to get access to various popular companies’ customers’ credentials, including big names like 'Donuts (it has been attacked twice in three months), The North Face, Dunkin, the popular chicken-dinner chain Nando And FC Barcelona's official Twitter account which was hacked last year. 

It was back in November 2020, when malicious actors hacked the information of thousands of Spotify subscribers, prompting the streaming music service to issue a password-reset notice. 

Researcher Bob Diachenko tweeted about the new Spotify attack on Thursday, “I have uncovered a malicious #Spotify logger database, with 100K+ account details (leaked elsewhere online) being misused and compromised as part of a credential stuffing attack.” 

Additionally, he has also uploaded a Spotify statement on the attack confirming the incident. 

“We recently protected some of our users against [a credential-stuffing attack], once we became aware of the situation, we issued password resets to all impacted users, which rendered the public credentials invalid,” the notice read. 

The organization has also stated that the hacks were carried out using an ill-gotten set of data: “We worked to have the fraudulent database taken down by the ISP hosting it,” the company added. 

This attack is very similar to the previous one, wherein the logged-in data also appeared in a public elasticsearch example. 

“There are similarities but this one looks different, like coming from a rival group. I suppose that login pairs came from previously reported breaches or collections of data, so they just re-use them against Spotify accounts to become part of this automated process,” Diachenko tweeted. 

“Originally this data was exposed inside a misconfigured (thus publicly reachable) Elasticsearch cluster – most likely operated by the malicious actors themselves,” he added. “It contained entire logs of their operations, plus email/password pairs they used [for the attack].”