Spotify launches ‘rolling reset’ on customer accounts, passwords linked to data leak
Spotify has issued a rolling password reset of some user accounts following the discovery of an open database containing user credentials.
This week, vpnMentor researchers Noam Rotem and Ran Locar made their findings public, in which an open Elasticsearch database was found during the firm's web mapping project.
The 72GB database contained over 380 million records, "including login credentials and other user data being validated against the Spotify service," the team said.
According to vpnMentor, the origins of the database are unknown, but it does not belong to the music streaming service itself. Instead, the third-party that created the database may have collated the records from other sources -- such as stolen data dumps or another platform -- for later use to hijack user accounts.
"These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify," Rotem and Locar said.
Some, but not all, Spotify users have been impacted. It is estimated that roughly 300,000 to 350,000 accounts were embroiled in the leak, in which email addresses, Personally Identifiable Information (PII), countries of residence, and login credentials -- both usernames and passwords -- were available to view.
CNET: Best Android VPNs for 2020
The information was not encrypted. As a result, these records could be used to access and take over accounts, as well as perform credential-stuffing attacks should the password and email combinations be used on other platforms or to access other applications.
However, it should be noted that the leaked data only relates to a tiny fraction of Spotify's 299 million active monthly user base.
vpnMentor discovered the database on July 3, and following a review, contacted Spotify on July 9. Between July 10 and July 21, the music streaming service initiated a rolling reset of passwords for the users identified in the database, ensuring the password and username combinations -- at least on the Spotify platform -- would become useless.
Coforge opens a new office in Hyderabad
Coforge Limited has announced the opening of its new office in the city of Hyderabad. The...
TeamViewer partners with Hyundai Motor to hasten digital innovation in Automotive Smart Factory
TeamViewer announced a partnership with global mobility solutions provider Hyundai Motor C...
Speakers call for creating an AI ecosystem for building a growth engine for Odisha, at the 3rd Odias in ML Global Conference
Entrepreneurs, technologists, policymakers, academicians, industry executives, and student...
Autodesk paves the way to power digital transformation in the Cloud
Autodesk has kicked off Autodesk University (AU) 2022, the company’s annual design c...
DSCI’s National CoE and IIT Bombay host Cybersecurity R&D Roadshow 2022
National Cybersecurity Centre of Excellence (NCoE), a joint initiative of Data Security Co...
New draft of Data Protection Bill is being worked on to augment efficient usage knowing it would be used by the industry: Additional Secretary, Meity
Speaking at the CII International Technology Summit 2022 “Technology 4.0 Adoption, A...