Hoard Of Spotify User Data Exposed By Hackers’ Careless Security Practices – Experts Reaction

By   ISBuzz Team
Writer , Information Security Buzz | Nov 24, 2020 02:51 am PST

Researchers have discovered a possible credential stuffing operation whose origins are unknown, but that affected online users who have Spotify accounts. The researchers uncovered an Elasticsearch database containing over 380 million records, including login credentials and other user data being validated against the Spotify service.

Notify of
8 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Anurag Kahol
Anurag Kahol , CTO
November 24, 2020 1:40 pm

A staggering 53% of consumers admit to reusing the same password across multiple sites, even knowing the risks associated. This poor password hygiene allows cybercriminals the opportunity and access to various accounts for the same individual across multiple services, rendering their digital footprint incredibly vulnerable as a result. All consumers, not just users impacted by this incident, need to make a habit of diversifying their login credentials across different accounts in order to mitigate the chances of their account being hijacked.

Companies can prevent credential stuffing by adopting advanced security solutions that identify suspicious login, taking action before breaches can occur. These controls enable businesses to verify users’ identities and enforce measures, such as multi-factor authentication (MFA), which can limit an attacker’s chance of hijacking a corporate email address in the first place. All companies should understand that it is essential to have full visibility and control over their customer data in order to prevent a breach. To do so, organisations must implement security solutions that remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information.

Last edited 3 years ago by Anurag Kahol
Niamh Muldoon
Niamh Muldoon , Senior Director of Trust and Security EMEA
November 24, 2020 11:10 am

This is a great example of why single authentication mechanisms are so weak. It can be hard for individuals to remember all the accounts they hold and to keep up to-date with every data breach that is happening. Therefore, organizations should enable their end-users to be as security first and conscious as possible. An easy way for organizations to do this is by streamlining access via a single sign-on platform, securing their access via two-factor authentication to protect them against risks like the Spotify end-users experienced

Last edited 3 years ago by Niamh Muldoon
Felix Rosbach
Felix Rosbach , Product Manager
November 24, 2020 11:09 am

Personally identifiable information and especially decrypted passwords are always valuable. According to statistics, 55% of people use the same password for the majority of the services they use.

It is no surprise that bad actors frequently focus on getting access to repositories storing this type of information.

It is critical that we all become aware of and understand the risks facing our data – especially passwords. Everyone should know how high the chances of a data breach are and that you will not always be aware of a breach and sometimes you won’t be informed at all.

While this is a key takeaway for end users, there is also something in it for enterprises that process this critical data.

While there is no sure-fire way to prevent attackers from getting access to an enterprise network, there are solutions that protect valuable customer information. Being able to not only protect passwords but also related personal data reduces the risk of misuse of data and resulting reputational damage drastically. Companies should look to deploy data security tactics such as stateless tokenization to protect the privacy of their customers.

Last edited 3 years ago by Felix Rosbach
Javvad Malik
Javvad Malik , Security Awareness Advocate
November 24, 2020 11:06 am

This exposure goes to illustrate that criminals don\’t need sophisticated technical hacking abilities to compromise accounts, rather, they can take advantage of lax security practices on behalf of users. Credentials are a particular area in which users are left exposed because they either choose weak passwords, or reuse them across different sites.

It\’s why it\’s important that users understand the importance of choosing unique and strong passwords across their accounts and where available enable and use MFA. That way, even if an account is compromised, it won\’t be possible for attackers to use those credentials to breach other accounts.

Last edited 3 years ago by Javvad Malik
Bill Santos
Bill Santos , President and COO
November 24, 2020 11:03 am

This is probably the simplest step an organization can take to begin to create a culture of cybersecurity awareness – encourage unique, non-repeatable passwords. Our opponents are very sophisticated; we don’t need to be making it any easier for them than necessary.

Last edited 3 years ago by Bill Santos

Recent Posts

Would love your thoughts, please comment.x