Security and privacy are news again and now from the hand of Spotify. The reason is that up to 72 GB of sensitive data has been leaked, unencrypted information including up to 380 million records These include, for example, your login credentials.
This is not the first time that security leaks of this type have come to light. We have seen it with more companies, such as Sony, Facebook or Yahoo. Now, thanks to two independent researchers, we have learned of the existence of an open and unprotected database.
Tap change password
It was the vpnMentor researchers, Noam Rotem and Ran Locar, who uncovered the news that has been echoed on ZDNet. And it is not something new, because both researchers they discovered the facts on July 3, after which, they proceeded to review them and communicate them to Spotify on July 9. Between July 10 and 21. Spotify began a massive reset of the affected accounts.
These researchers found an open Elasticsearch database published their findings during the company’s web mapping project. Up to a total of 72 GB of information in a database that contained more than 380 million records.
This data could be used to access Spotify accounts or other services that will use the same credentials
Among the data were email addresses, personally identifiable information, countries of residence and login credentials, both usernames and passwords. Data that is used to validate said login in the streaming audio platform.
Apparently and according to vpnMentor, Spotify has no relationship with this database and according to the researchers, this data may have been obtained from a number of different sources, including stolen data.
With all this data, which is also unencrypted, Spotify accounts can be hijacked in which users have the same passwords as in other services in what is known as “credential stuffing”.
“These credentials were likely illegally obtained or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify”
With all this data on the table, Spotify, as we saw, had to react. With a number of affected that can be between 300,000 and 350,000 (Spotify has almost 300 million users), the company carried out a reset of access data on the users identified in the database. In this case, the leaked information can no longer be used to access Spotify and a new password must be generated.