Hoard Of Spotify User Data Exposed By Hackers’ Careless Security Practices – Experts Reaction

Researchers have discovered a possible credential stuffing operation whose origins are unknown, but that affected online users who have Spotify accounts. The researchers uncovered an Elasticsearch database containing over 380 million records, including login credentials and other user data being validated against the Spotify service.

Experts Comments

November 24, 2020
Hicham Bouali
EMEA Manager
One Identity
The one detected at Spotify isn't a data breach as such: the attackers just managed to find out that a stolen database (coming from somewhere else) with the combination of Username/Password could be verified against Spotify via credential stuffing As users very often juggle lazily with the same password for their different online accounts, cybercriminals use Botnets, computer bots, to test thousands of combinations of IDs and passwords on well-known services. To prevent this type of attack, or .....Read More
The one detected at Spotify isn't a data breach as such: the attackers just managed to find out that a stolen database (coming from somewhere else) with the combination of Username/Password could be verified against Spotify via credential stuffing As users very often juggle lazily with the same password for their different online accounts, cybercriminals use Botnets, computer bots, to test thousands of combinations of IDs and passwords on well-known services. To prevent this type of attack, or any Password related attack (brute Force, Password Spraying…etc.), the best solution is implementing multifactor authentication wherever possible.  Read Less
November 24, 2020
Ameet Naik
Security Evangelist
PerimeterX
Hackers can profit enormously from credentials present in large database leaks such as these. Since a large number of users reuse their passwords across multiple services, hackers run credential stuffing attacks to check the validity of these credentials against multiple services. These automated attacks, also known as Account Takeover (ATO) are growing in size and scope, up 72 percent over the prior year. Businesses need to protect their login pages from ATO attacks using bot management.....Read More
Hackers can profit enormously from credentials present in large database leaks such as these. Since a large number of users reuse their passwords across multiple services, hackers run credential stuffing attacks to check the validity of these credentials against multiple services. These automated attacks, also known as Account Takeover (ATO) are growing in size and scope, up 72 percent over the prior year. Businesses need to protect their login pages from ATO attacks using bot management solutions. Users must use strong, unique passwords on each service and use multi-factor authentication where possible.  Read Less
November 24, 2020
Anurag Kahol
CTO
Bitglass
A staggering 53% of consumers admit to reusing the same password across multiple sites, even knowing the risks associated. This poor password hygiene allows cybercriminals the opportunity and access to various accounts for the same individual across multiple services, rendering their digital footprint incredibly vulnerable as a result. All consumers, not just users impacted by this incident, need to make a habit of diversifying their login credentials across different accounts in order to.....Read More
A staggering 53% of consumers admit to reusing the same password across multiple sites, even knowing the risks associated. This poor password hygiene allows cybercriminals the opportunity and access to various accounts for the same individual across multiple services, rendering their digital footprint incredibly vulnerable as a result. All consumers, not just users impacted by this incident, need to make a habit of diversifying their login credentials across different accounts in order to mitigate the chances of their account being hijacked. Companies can prevent credential stuffing by adopting advanced security solutions that identify suspicious login, taking action before breaches can occur. These controls enable businesses to verify users’ identities and enforce measures, such as multi-factor authentication (MFA), which can limit an attacker’s chance of hijacking a corporate email address in the first place. All companies should understand that it is essential to have full visibility and control over their customer data in order to prevent a breach. To do so, organisations must implement security solutions that remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information.  Read Less
November 24, 2020
Niamh Muldoon
Senior Director of Trust and Security EMEA
OneLogin
This is a great example of why single authentication mechanisms are so weak. It can be hard for individuals to remember all the accounts they hold and to keep up to-date with every data breach that is happening. Therefore, organizations should enable their end-users to be as security first and conscious as possible. An easy way for organizations to do this is by streamlining access via a single sign-on platform, securing their access via two-factor authentication to protect them against risks.....Read More
This is a great example of why single authentication mechanisms are so weak. It can be hard for individuals to remember all the accounts they hold and to keep up to-date with every data breach that is happening. Therefore, organizations should enable their end-users to be as security first and conscious as possible. An easy way for organizations to do this is by streamlining access via a single sign-on platform, securing their access via two-factor authentication to protect them against risks like the Spotify end-users experienced  Read Less
November 24, 2020
Felix Rosbach
Product Manager
comforte AG
Personally identifiable information and especially decrypted passwords are always valuable. According to statistics, 55% of people use the same password for the majority of the services they use. It is no surprise that bad actors frequently focus on getting access to repositories storing this type of information. It is critical that we all become aware of and understand the risks facing our data – especially passwords. Everyone should know how high the chances of a data breach are and that.....Read More
Personally identifiable information and especially decrypted passwords are always valuable. According to statistics, 55% of people use the same password for the majority of the services they use. It is no surprise that bad actors frequently focus on getting access to repositories storing this type of information. It is critical that we all become aware of and understand the risks facing our data – especially passwords. Everyone should know how high the chances of a data breach are and that you will not always be aware of a breach and sometimes you won’t be informed at all. While this is a key takeaway for end users, there is also something in it for enterprises that process this critical data. While there is no sure-fire way to prevent attackers from getting access to an enterprise network, there are solutions that protect valuable customer information. Being able to not only protect passwords but also related personal data reduces the risk of misuse of data and resulting reputational damage drastically. Companies should look to deploy data security tactics such as stateless tokenization to protect the privacy of their customers.  Read Less
November 24, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
This exposure goes to illustrate that criminals don't need sophisticated technical hacking abilities to compromise accounts, rather, they can take advantage of lax security practices on behalf of users. Credentials are a particular area in which users are left exposed because they either choose weak passwords, or reuse them across different sites. It's why it's important that users understand the importance of choosing unique and strong passwords across their accounts and where available.....Read More
This exposure goes to illustrate that criminals don't need sophisticated technical hacking abilities to compromise accounts, rather, they can take advantage of lax security practices on behalf of users. Credentials are a particular area in which users are left exposed because they either choose weak passwords, or reuse them across different sites. It's why it's important that users understand the importance of choosing unique and strong passwords across their accounts and where available enable and use MFA. That way, even if an account is compromised, it won't be possible for attackers to use those credentials to breach other accounts.  Read Less
November 24, 2020
Bill Santos
President and COO
Cerberus Cybersecurity
This is probably the simplest step an organization can take to begin to create a culture of cybersecurity awareness – encourage unique, non-repeatable passwords. Our opponents are very sophisticated; we don’t need to be making it any easier for them than necessary.
November 24, 2020
Chris Clements
VP
Cerberus Sentinel
It’s easy to blame users for poor password hygiene, but the reality is that it’s very difficult to choose a single strong password. Even harder is to do so for every online account they might have and then keep up with them all. Password managers do a great job at alleviating this problem, but the free ones built in to mobile devices or web browsers can present a problem for users if they need to log into an account from a different type of device, for example the built-in Apple Keychain.....Read More
It’s easy to blame users for poor password hygiene, but the reality is that it’s very difficult to choose a single strong password. Even harder is to do so for every online account they might have and then keep up with them all. Password managers do a great job at alleviating this problem, but the free ones built in to mobile devices or web browsers can present a problem for users if they need to log into an account from a different type of device, for example the built-in Apple Keychain password manager works great on iPhones or Mac computers but not on Microsoft Windows PCs. Third party password managers can solve this problem, but often require a subscription for use. There are a few that offer free tiers as well as open source options such as Bitwarden that offer good solutions.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.