Spotify has notified users that some of their registration data was inadvertently exposed to a 3rd-party business partner, including emails addresses, preferred display names, passwords, gender & dates of birth. This is at least the 3rd breach in less than a month for the world’s largest streaming service.
A statement from Spotify about the incident explained the exposure was due to a software vulnerability that existed from April 9 till Nov. 12 when it was corrected.
“We take any loss of personal information very seriously & are taking steps to help protect you & your personal information,” the Dec. 9 statement observed.
“We have conducted an internal investigation & have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted.”
This announcement comes just a few days after some of the streaming service’s most popular stars pages were taken over by a ‘mysterious’ malicious player named “Daniel” who used hijacked Spotify artist pages, including Dua Lipa & Pop Smoke, to proclaim his love of outgoing US President Trump & Taylor Swift.
The incident occurred during its well-publicised year-end Spotify Wrapped 2020 announcement of the year’s most popular streams.
A week earlier, in late Nov., Spotfiy received a number of account takeovers following a credential-stuffing operation. In this sort of attack, threat players gambled on people re-using passwords; they try stolen passwords & IDs on different services to gain access to a whole range of accounts.
Researchers at vpn Mentor found an open & vulnerable Elasticsearch database with more than 380 Spotify user records, including login credentials.
“The exposed database belonged to a 3rd party that was using it to store Spotify login credentials,” the firm commented. “These credentials were most likely obtained illegally or potentially leaked from other sources.”
When this breach happened, Spotify initiated rolling password resets, leaving the database useless.
Spotify & Credential Stuffing
Now Spotify’s user data has been exposed again.
“A very small subset of Spotify users was impacted by a software bug, which has now been fixed & addressed.” A statement from a Spotify spokesperson read. “Protecting our users’ privacy & maintaining their trust are top priorities at Spotify. To address this issue, we issued a password reset to impacted users. We take these obligations extremely seriously.”
The company requests users to update passwords for other accounts tied to the same email account.
“Again, while we are not aware of any unauthorised use of your personal information, as a precautionary measure, we encourage you to remain vigilant by monitoring your account closely,” Spotify’s statement also added. “If you detect any suspicious activity on your Spotify account, you should promptly notify us.”
Kacey Clark, Threat Researcher at Digital Shadows, revealed that these types of basic data theft are exactly what malicious players need to launch a ‘credential-stuffing’ attack.
“Brute-force, cracking tools & account checkers are the cornerstones of many account takeover operations, reliably enabling attackers to get their hands on even more of your data.” Clark explained. “They’re automated scripts or programs applied to a login system, whether it’s associated with an API or website to access a user’s account.”
Amount of Damage
When they get access, there’s little limit to the amount of damage account hackers could potentially inflict on victims.
“Criminal operations using brute-force cracking tools or account checkers may also take advantage of IP addresses, VPN services, botnets or proxies to maintain anonymity or improve the likelihood of accessing an account,” Clark also added.
“Once they’re in, they can use the account for malicious purposes or extract all of its data (potentially including payment-card details or personally identifiable information) to monetise it.”
She referenced the point with Digital Shadows’ research findings that streaming services accounted for 13% of the accounts listed on criminal marketplaces.
“In the end, would you rather pay $10 a month for yet another streaming service, or pay $5 for lifetime access?” she asked.
Media & streaming services are well-known targets of ‘credential-stuffing’ attacks. Akamai recently identified the risk of credential-stuffing attacks for content providers like Spotify.
“Hackers are very attracted to the high profile & value of online streaming services,” says the company. In Akamai’s most recent report on the state of media-industry security, it found that a full 20% of the observed 88 billion credential-stuffing attacks over the past 12 months were aimed at media companies.
“As long as we have usernames & passwords, we’re going to have criminals trying to compromise them & exploit valuable information,” Akamai researcher Steve Ragan explained. “Password-sharing & recycling are easily the 2 largest contributing factors in credential-stuffing attacks.”
While good password protections are an excellent way for consumers to protect their data, Ragan stressed it is businesses that need to take proactive steps to boost security & maintain consumer trust.
“While educating consumers on good credential hygiene is critical to combating these attacks, it’s up to businesses to deploy stronger authentication methods & identify the right mix of technology, policies & expertise that can help protect customers without adversely impacting the user experience.”