Spotify has issued a rolling password reset to some user accounts following the discovery of an open Elasticsearch database containing user credentials. The 72GB database contained over 380 million records and some Spotify users have been impacted. It is estimated that roughly 300,000 to 350,000 accounts were embroiled in the leak, in which email addresses, Personally Identifiable Information (PII), countries of residence, and login credentials — both usernames and passwords — were available to view. The information was not encrypted. According to researchers, the origins of the database are unknown, but it does not belong to the music streaming service itself. Instead, the third-party that created the database may have collated the records from other sources — such as stolen data dumps or another platform — for later use to hijack user accounts.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.