Security News > 2020 > November > Spotify Users Hit with Rash of Account Takeovers
VpnMentor's research team spotted an open Elasticsearch database containing more than 380 million individual records, including login credentials and other user data, actively being validated against Spotify accounts.
The database in question contained over 72 GB of data, including account usernames and passwords verified on Spotify; email addresses; and countries of residence.
"The hackers were possibly using login credentials stolen from another platform, app or website and using them to access Spotify accounts."
"Any of these parties could use the PII data exposed to identify Spotify users through their social media accounts, and more. Fraudsters could use the exposed emails and names from the leak to identify users across other platforms and social media accounts. With this information, they could build complex profiles of users worldwide and target them for numerous forms of financial fraud and identity theft."
"Credentials are a particular area in which users are left exposed because they either choose weak passwords, or reuse them across different sites. It's why it's important that users understand the importance of choosing unique and strong passwords across their accounts and where available enable and use multifactor authentication. That way, even if an account is compromised, it won't be possible for attackers to use those credentials to breach other accounts."