350,000 Spotify accounts targeted by hackers — what to do
350,000 Spotify accounts targeted by hackers — what to do
Up to 350,000 Spotify accounts have been targeted past hackers who are smashing them open using reused or weak passwords, security researchers with Israeli website VPNMentor accept revealed.
While the music streaming service itself has not been hacked, the researchers found an unprotected online database containing about 380 1000000 individual records/ These were probable stolen in quondam information breaches or phishing attacks and not direct related to Spotify. Just they provide hackers with a drench of passwords and credentials with which to carry out cyber attacks.
- The all-time password managers to keep your accounts condom
- 5 essential tips for protecting your online passwords
- The best Black Friday deals you lot can already get
The owner of the database was using the records to stage "credential stuffing" attacks, trying out passwords, usernames and/or email addresses (Spotify lets you lot employ either) to gain admission to accounts on multiple online services.
Spotify was notified of the situation past the VPNMentor researchers in early on July and soon forced all affected users to reset their passwords.
However, those users are still vulnerable to credential-stuffing attacks on other services where their onetime Spotify passwords were reused.
What you need to do
If you're a Spotify user and you've used the same prepare of credentials — a password plus a username and/or an email address — for other accounts, you need to alter the passwords on those accounts immediately.
Exist sure to make each new countersign long, strong and unique. We recommend using i of the all-time password managers to create and handle all those new passwords.
You should also pester Spotify to offering ii-factor hallmark (2FA) as a security pick to prevent exactly this kind of account takeover.
Without the "2nd" gene — a texted code, an app-generated code, a specific smartphone or a physical security key — an aggressor can't become into your business relationship fifty-fifty with your countersign. Most well-known online services already offer 2FA, and information technology'southward time for Spotify to join them.
Other risks
Spotify users in the database could also exist vulnerable to phishing attacks and even identity theft, the VPNMentor researchers warned.
"Fraudsters could use the exposed emails and names from the leak to identify users across other platforms and social media accounts," the study said. "Fraudsters could also utilise the contact information to directly target the exposed users with phishing emails, tricking them into providing sensitive data like credit card details, or clicking a fake link embedded with malware."
Of course, that'due south true whenever there'southward a large data breach exposing credentials. Most anybody who's ever had an online business relationship has had something exposed. You tin cheque out your ain electronic mail addresses and passwords at the (prophylactic to use) website HaveIBeenPwned.
How to brand sure this doesn't happen over again
Credential stuffing generally works just because most people utilise the aforementioned password for more than 1 business relationship, or use elementary, common passwords that can be easily guessed.
If the password, username and/or email address linked to just i of those accounts are exposed in a data breach or phishing set on, and so all accounts using those credentials can be accessed, no thing how potent the password may be.
Credential stuffing isn't really a hack, since the assaulter already has the "keys" and is using the login software equally information technology'due south designed. Instead, yous've made it easier for the attacker by using the same set of keys for more than i account.
Reusing passwords is like having a unmarried key for your business firm, your machine, your office and your abode safe. Using one of the top 10,000 or and so generally commonly used passwords is like having a blank primal. Either style, if someone gets a copy of that key, you're screwed.
Source: https://www.tomsguide.com/news/spotify-credential-stuffing-attack
Posted by: grimmwomighon.blogspot.com
0 Response to "350,000 Spotify accounts targeted by hackers — what to do"
Post a Comment