A group of hackers didn't have to breach Spotify's systems to access as many as 350,000 accounts on the music-streaming service. All it took was a cache of login credentials stolen in other data breaches, and some patience.
The hackers were successful because Spotify account holders were reusing passwords from other accounts they had, a basic security mistake. The hackers just had to try the combinations on Spotify and look for matches, a technique known as credential stuffing.
The simplicity of that technique doesn't require genius, something the hackers proved by committing their own security blunder. The gang of criminal nonmasterminds exposed their own operation by storing the records on an unsecured cloud database. That meant anyone with a web browser could see the data without needing a password.
Security researchers Ran Locar and Noam Rotem found the exposed records as part of a project that scans the internet for unsecured data. The researchers, who ask for unsecured data they find to be removed or locked down, published their findings with security website vpnMentor on Monday.
Locar and Rotem can't be sure the data wasn't found by anyone else stumbling around the internet. Other hackers could've discovered and copied the records, and tried them out on other services.
"The lesson for the end user is, don't recycle your password." said Locar. "Eventually, one of them is going to be exposed."
The exposed documents didn't indicate what the hackers were doing with the passwords. Stolen Spotify accounts can be rented to other users at a discount. They can also be used for "streaming manipulation," which Rolling Stone reported in 2019 is a major concern in the recording industry. The practice involves coordinating commandeered accounts on music streaming services to boost numbers for a song if someone is willing to pay for such a service.
Whatever the hackers were doing, they won't be doing it any longer. Spotify prompted a password reset for the affected users, ending the utility of the data, which is no longer exposed. The company advises customers to never reuse their passwords, and offers on its website more tips for protecting account security.
Locar and Rotem also found records of IP addresses, which they determined were likely related to the proxy servers the criminals used to disguise their location while they ran their operation. Those details, along with records of exposed accounts, could help Spotify spot activity coming from the crime ring.
"The traffic might have looked legitimate," Locar said, "for a very long duration."