350,000 Spotify accounts targeted by hackers — what to do

(Image credit: Kaspars Grinvalds/Shutterstock)

Up to 350,000 Spotify accounts have been targeted past hackers who are smashing them open using reused or weak passwords, security researchers with Israeli website VPNMentor accept revealed.

While the music streaming service itself has not been hacked, the researchers found an unprotected online database containing about 380 1000000 individual records/ These were probable stolen in quondam information breaches or phishing attacks and not direct related to Spotify. Just they provide hackers with a drench of passwords and credentials with which to carry out cyber attacks.

The all-time password managers to keep your accounts condom
5 essential tips for protecting your online passwords
The best Black Friday deals you lot can already get

The owner of the database was using the records to stage "credential stuffing" attacks, trying out passwords, usernames and/or email addresses (Spotify lets you lot employ either) to gain admission to accounts on multiple online services.

Spotify was notified of the situation past the VPNMentor researchers in early on July and soon forced all affected users to reset their passwords.

However, those users are still vulnerable to credential-stuffing attacks on other services where their onetime Spotify passwords were reused.

What you need to do

If you're a Spotify user and you've used the same prepare of credentials — a password plus a username and/or an email address — for other accounts, you need to alter the passwords on those accounts immediately.

Exist sure to make each new countersign long, strong and unique. We recommend using i of the all-time password managers to create and handle all those new passwords.

You should also pester Spotify to offering ii-factor hallmark (2FA) as a security pick to prevent exactly this kind of account takeover.

Without the "2nd" gene — a texted code, an app-generated code, a specific smartphone or a physical security key — an aggressor can't become into your business relationship fifty-fifty with your countersign. Most well-known online services already offer 2FA, and information technology'southward time for Spotify to join them.

Other risks

Spotify users in the database could also exist vulnerable to phishing attacks and even identity theft, the VPNMentor researchers warned.

"Fraudsters could use the exposed emails and names from the leak to identify users across other platforms and social media accounts," the study said. "Fraudsters could also utilise the contact information to directly target the exposed users with phishing emails, tricking them into providing sensitive data like credit card details, or clicking a fake link embedded with malware."

Of course, that'due south true whenever there'southward a large data breach exposing credentials. Most anybody who's ever had an online business relationship has had something exposed. You tin cheque out your ain electronic mail addresses and passwords at the (prophylactic to use) website HaveIBeenPwned.

How to brand sure this doesn't happen over again

Credential stuffing generally works just because most people utilise the aforementioned password for more than 1 business relationship, or use elementary, common passwords that can be easily guessed.

If the password, username and/or email address linked to just i of those accounts are exposed in a data breach or phishing set on, and so all accounts using those credentials can be accessed, no thing how potent the password may be.

Credential stuffing isn't really a hack, since the assaulter already has the "keys" and is using the login software equally information technology'due south designed. Instead, yous've made it easier for the attacker by using the same set of keys for more than i account.

Reusing passwords is like having a unmarried key for your business firm, your machine, your office and your abode safe. Using one of the top 10,000 or and so generally commonly used passwords is like having a blank primal. Either style, if someone gets a copy of that key, you're screwed.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, lawmaking monkey and video editor. He's been rooting around in the information-security infinite for more than than fifteen years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random Tv news spots and fifty-fifty moderated a panel discussion at the CEDIA dwelling-engineering conference. You can follow his rants on Twitter at @snd_wagenseil.