Researchers have discovered a possible credential stuffing operation whose origins are unknown, but that affected online users who have Spotify accounts. The researchers uncovered an Elasticsearch database containing over 380 million records, including login credentials and other user data being validated against the Spotify service.
Experts Comments
Businesses need to protect their login pages from ATO attacks using bot management solutions.
Hackers can profit enormously from credentials present in large database leaks such as these. Since a large number of users reuse their passwords across multiple services, hackers run credential stuffing attacks to check the validity of these credentials against multiple services. These automated attacks, also known as Account Takeover (ATO) are growing in size and scope, up 72 percent over the prior year. Businesses need to protect their login pages from ATO attacks using bot management.....Read More
All companies should understand that it is essential to have full visibility and control over their customer data in order to prevent a breach.
A staggering 53% of consumers admit to reusing the same password across multiple sites, even knowing the risks associated. This poor password hygiene allows cybercriminals the opportunity and access to various accounts for the same individual across multiple services, rendering their digital footprint incredibly vulnerable as a result. All consumers, not just users impacted by this incident, need to make a habit of diversifying their login credentials across different accounts in order to.....Read More
Organizations should enable their end-users to be as security first.
This is a great example of why single authentication mechanisms are so weak. It can be hard for individuals to remember all the accounts they hold and to keep up to-date with every data breach that is happening. Therefore, organizations should enable their end-users to be as security first and conscious as possible. An easy way for organizations to do this is by streamlining access via a single sign-on platform, securing their access via two-factor authentication to protect them against risks.....Read More
Companies should look to deploy data security tactics.
Personally identifiable information and especially decrypted passwords are always valuable. According to statistics, 55% of people use the same password for the majority of the services they use.
It is no surprise that bad actors frequently focus on getting access to repositories storing this type of information.
It is critical that we all become aware of and understand the risks facing our data – especially passwords. Everyone should know how high the chances of a data breach are and that.....Read More
Credentials are a particular area in which users are left exposed.
This exposure goes to illustrate that criminals don't need sophisticated technical hacking abilities to compromise accounts, rather, they can take advantage of lax security practices on behalf of users. Credentials are a particular area in which users are left exposed because they either choose weak passwords, or reuse them across different sites.
It's why it's important that users understand the importance of choosing unique and strong passwords across their accounts and where available.....Read More
Our opponents are very sophisticated.
This is probably the simplest step an organization can take to begin to create a culture of cybersecurity awareness – encourage unique, non-repeatable passwords. Our opponents are very sophisticated; we don’t need to be making it any easier for them than necessary.
Password managers do a great job at alleviating this problem.
It’s easy to blame users for poor password hygiene, but the reality is that it’s very difficult to choose a single strong password. Even harder is to do so for every online account they might have and then keep up with them all. Password managers do a great job at alleviating this problem, but the free ones built in to mobile devices or web browsers can present a problem for users if they need to log into an account from a different type of device, for example the built-in Apple Keychain.....Read More
Dot Your Expert Comments
Only for registered and approved experts. Please register before providing comments. Register here
Linkedin Message
@Hicham Bouali, EMEA Manager , provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"The one detected at Spotify isn\'t a data breach...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/spotify-credential-stuffing-attack
Facebook Message
@Hicham Bouali, EMEA Manager , provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"The one detected at Spotify isn\'t a data breach...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/spotify-credential-stuffing-attack