Expert Comments

Hoard Of Spotify User Data Exposed By Hackers’ Careless Security Practices – Experts Reaction

Expert(s):
Expert(s):

Researchers have discovered a possible credential stuffing operation whose origins are unknown, but that affected online users who have Spotify accounts. The researchers uncovered an Elasticsearch database containing over 380 million records, including login credentials and other user data being validated against the Spotify service.

Experts Comments

Dot Your Expert Comments
Hicham Bouali
November 24, 2020
EMEA Manager
One Identity

The one detected at Spotify isn't a data breach.
The one detected at Spotify isn't a data breach as such: the attackers just managed to find out that a stolen database (coming from somewhere else) with the combination of Username/Password could be verified against Spotify via credential stuffing As users very often juggle lazily with the same password for their different online accounts, cybercriminals use Botnets, computer bots, to test thousands of combinations of IDs and passwords on well-known services. To prevent this type of attack, or .....Read More
The one detected at Spotify isn't a data breach as such: the attackers just managed to find out that a stolen database (coming from somewhere else) with the combination of Username/Password could be verified against Spotify via credential stuffing As users very often juggle lazily with the same password for their different online accounts, cybercriminals use Botnets, computer bots, to test thousands of combinations of IDs and passwords on well-known services. To prevent this type of attack, or any Password related attack (brute Force, Password Spraying…etc.), the best solution is implementing multifactor authentication wherever possible.  Read Less
Ameet Naik
November 24, 2020
Security Evangelist
PerimeterX

Businesses need to protect their login pages from ATO attacks using bot management solutions.
Hackers can profit enormously from credentials present in large database leaks such as these. Since a large number of users reuse their passwords across multiple services, hackers run credential stuffing attacks to check the validity of these credentials against multiple services. These automated attacks, also known as Account Takeover (ATO) are growing in size and scope, up 72 percent over the prior year. Businesses need to protect their login pages from ATO attacks using bot management.....Read More
Hackers can profit enormously from credentials present in large database leaks such as these. Since a large number of users reuse their passwords across multiple services, hackers run credential stuffing attacks to check the validity of these credentials against multiple services. These automated attacks, also known as Account Takeover (ATO) are growing in size and scope, up 72 percent over the prior year. Businesses need to protect their login pages from ATO attacks using bot management solutions. Users must use strong, unique passwords on each service and use multi-factor authentication where possible.  Read Less
Anurag Kahol
November 24, 2020
CTO
Bitglass

All companies should understand that it is essential to have full visibility and control over their customer data in order to prevent a breach.
A staggering 53% of consumers admit to reusing the same password across multiple sites, even knowing the risks associated. This poor password hygiene allows cybercriminals the opportunity and access to various accounts for the same individual across multiple services, rendering their digital footprint incredibly vulnerable as a result. All consumers, not just users impacted by this incident, need to make a habit of diversifying their login credentials across different accounts in order to.....Read More
A staggering 53% of consumers admit to reusing the same password across multiple sites, even knowing the risks associated. This poor password hygiene allows cybercriminals the opportunity and access to various accounts for the same individual across multiple services, rendering their digital footprint incredibly vulnerable as a result. All consumers, not just users impacted by this incident, need to make a habit of diversifying their login credentials across different accounts in order to mitigate the chances of their account being hijacked. Companies can prevent credential stuffing by adopting advanced security solutions that identify suspicious login, taking action before breaches can occur. These controls enable businesses to verify users’ identities and enforce measures, such as multi-factor authentication (MFA), which can limit an attacker’s chance of hijacking a corporate email address in the first place. All companies should understand that it is essential to have full visibility and control over their customer data in order to prevent a breach. To do so, organisations must implement security solutions that remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information.  Read Less
Niamh Muldoon
November 24, 2020
Senior Director of Trust and Security EMEA
OneLogin

Organizations should enable their end-users to be as security first.
This is a great example of why single authentication mechanisms are so weak. It can be hard for individuals to remember all the accounts they hold and to keep up to-date with every data breach that is happening. Therefore, organizations should enable their end-users to be as security first and conscious as possible. An easy way for organizations to do this is by streamlining access via a single sign-on platform, securing their access via two-factor authentication to protect them against risks.....Read More
This is a great example of why single authentication mechanisms are so weak. It can be hard for individuals to remember all the accounts they hold and to keep up to-date with every data breach that is happening. Therefore, organizations should enable their end-users to be as security first and conscious as possible. An easy way for organizations to do this is by streamlining access via a single sign-on platform, securing their access via two-factor authentication to protect them against risks like the Spotify end-users experienced  Read Less
Felix Rosbach
November 24, 2020
Product Manager
comforte AG

Companies should look to deploy data security tactics.
Personally identifiable information and especially decrypted passwords are always valuable. According to statistics, 55% of people use the same password for the majority of the services they use. It is no surprise that bad actors frequently focus on getting access to repositories storing this type of information. It is critical that we all become aware of and understand the risks facing our data – especially passwords. Everyone should know how high the chances of a data breach are and that.....Read More
Personally identifiable information and especially decrypted passwords are always valuable. According to statistics, 55% of people use the same password for the majority of the services they use. It is no surprise that bad actors frequently focus on getting access to repositories storing this type of information. It is critical that we all become aware of and understand the risks facing our data – especially passwords. Everyone should know how high the chances of a data breach are and that you will not always be aware of a breach and sometimes you won’t be informed at all. While this is a key takeaway for end users, there is also something in it for enterprises that process this critical data. While there is no sure-fire way to prevent attackers from getting access to an enterprise network, there are solutions that protect valuable customer information. Being able to not only protect passwords but also related personal data reduces the risk of misuse of data and resulting reputational damage drastically. Companies should look to deploy data security tactics such as stateless tokenization to protect the privacy of their customers.  Read Less
Javvad Malik
November 24, 2020
Security Awareness Advocate
KnowBe4

Credentials are a particular area in which users are left exposed.
This exposure goes to illustrate that criminals don't need sophisticated technical hacking abilities to compromise accounts, rather, they can take advantage of lax security practices on behalf of users. Credentials are a particular area in which users are left exposed because they either choose weak passwords, or reuse them across different sites. It's why it's important that users understand the importance of choosing unique and strong passwords across their accounts and where available.....Read More
This exposure goes to illustrate that criminals don't need sophisticated technical hacking abilities to compromise accounts, rather, they can take advantage of lax security practices on behalf of users. Credentials are a particular area in which users are left exposed because they either choose weak passwords, or reuse them across different sites. It's why it's important that users understand the importance of choosing unique and strong passwords across their accounts and where available enable and use MFA. That way, even if an account is compromised, it won't be possible for attackers to use those credentials to breach other accounts.  Read Less
Bill Santos
November 24, 2020
President and COO
Cerberus Cybersecurity

Our opponents are very sophisticated.
This is probably the simplest step an organization can take to begin to create a culture of cybersecurity awareness – encourage unique, non-repeatable passwords. Our opponents are very sophisticated; we don’t need to be making it any easier for them than necessary.
Chris Clements
November 24, 2020
VP
Cerberus Sentinel

Password managers do a great job at alleviating this problem.
It’s easy to blame users for poor password hygiene, but the reality is that it’s very difficult to choose a single strong password. Even harder is to do so for every online account they might have and then keep up with them all. Password managers do a great job at alleviating this problem, but the free ones built in to mobile devices or web browsers can present a problem for users if they need to log into an account from a different type of device, for example the built-in Apple Keychain.....Read More
It’s easy to blame users for poor password hygiene, but the reality is that it’s very difficult to choose a single strong password. Even harder is to do so for every online account they might have and then keep up with them all. Password managers do a great job at alleviating this problem, but the free ones built in to mobile devices or web browsers can present a problem for users if they need to log into an account from a different type of device, for example the built-in Apple Keychain password manager works great on iPhones or Mac computers but not on Microsoft Windows PCs. Third party password managers can solve this problem, but often require a subscription for use. There are a few that offer free tiers as well as open source options such as Bitwarden that offer good solutions.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

$2bn Startup Glovo Falls Victim To Cyberattack

Vulnerabilities Found In Wifi-routers

Experts Reaction On REvil/Sodin Behind UnitingCare Breach

Experts On IOS 0-Days Vulnerabilities Discovered

Uni Research Finds That Fertility Apps Collecting And Sharing Sensitive...

44% of Orgs. Report Breaches Due to 3rd Parties, 74%...

92% Of Organisations Who Pay Ransoms Don’t Get All Their...

Experts Comments on World Password Day

Expert Insights On Ransomware Task Force Report

Expert Commentary – Ofcom Warn People Not to Trust Caller...