350,000 Spotify accounts targeted by hackers — what to do

Spotify on an iPhone.
(Image credit: Kaspars Grinvalds/Shutterstock)

Up to 350,000 Spotify accounts have been targeted by hackers who are cracking them open using reused or weak passwords, security researchers with Israeli website VPNMentor have revealed. 

While the music streaming service itself has not been hacked, the researchers found an unprotected online database containing about 380 million individual records/ These were likely stolen in old data breaches or phishing attacks and not directly related to Spotify. But they provide hackers with a deluge of passwords and credentials with which to carry out cyber attacks. 

The owner of the database was using the records to stage "credential stuffing" attacks, trying out passwords, usernames and/or email addresses (Spotify lets you use either) to gain access to accounts on multiple online services.

Spotify was notified of the situation by the VPNMentor researchers in early July and soon forced all affected users to reset their passwords. 

However, those users are still vulnerable to credential-stuffing attacks on other services where their old Spotify passwords were reused. 

What you need to do

If you're a Spotify user and you've used the same set of credentials — a password plus a username and/or an email address — for other accounts, you need to change the passwords on those accounts immediately.

Be sure to make each new password long, strong and unique. We recommend using one of the best password managers to create and handle all those new passwords.

You should also pester Spotify to offer two-factor authentication (2FA) as a security option to prevent exactly this kind of account takeover. 

Without the "second" factor — a texted code, an app-generated code, a specific smartphone or a physical security key — an attacker can't get into your account even with your password. Most well-known online services already offer 2FA, and it's time for Spotify to join them.

Other risks

Spotify users in the database could also be vulnerable to phishing attacks and even identity theft, the VPNMentor researchers warned.

"Fraudsters could use the exposed emails and names from the leak to identify users across other platforms and social media accounts," the report said. "Fraudsters could also use the contact information to directly target the exposed users with phishing emails, tricking them into providing sensitive data like credit card details, or clicking a fake link embedded with malware."

Of course, that's true whenever there's a large data breach exposing credentials. Virtually everyone who's ever had an online account has had something exposed. You can check out your own email addresses and passwords at the (safe to use) website HaveIBeenPwned.

How to make sure this doesn't happen again

Credential stuffing generally works only because most people use the same password for more than one account, or use simple, common passwords that can be easily guessed.

If the password, username and/or email address linked to just one of those accounts are exposed in a data breach or phishing attack, then all accounts using those credentials can be accessed, no matter how strong the password may be. 

Credential stuffing isn't really a hack, since the attacker already has the "keys" and is using the login software as it's designed. Instead, you've made it easier for the attacker by using the same set of keys for more than one account. 

Reusing passwords is like having a single key for your house, your car, your office and your home safe. Using one of the top 10,000 or so mostly commonly used passwords is like having a blank key. Either way, if someone gets a copy of that key, you're screwed.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.