Hackers are trying to gain access to Spotify accounts using a base data of 380 million records with credentials connectionand personal information collected from various sources.
For years, users complained that their Spotify accounts were being compromised even after their passwords were changed and new playlists appeared on their profiles or that they had added foreign contacts from other countries.
A new report details how a database of more than 380 million subscriptions, including login credentials, is being actively used to hack Spotify accounts.
300 million subscriptions with user information for Spotify account breach
The common attack used to steal accounts is called a “credential spoofing attack”. With it, hackers use combinations of username / code access data, leaked in previous breaches, to gain access to user accounts and other online platforms.
Today, VPNMentor released a report on a database that was exposed on the Internet, which contained 300 million combinations of usernames and passwords used on Spotify.
Each record in this database contains a login name (address email), a password and possibly these credentials can be successfully connected to a Spotify account as shown below.
It is not known how the 300 million files were collected. Most likely through data breaches or large "collections" of credentials, usually issued by hackers for free on some platforms.
Researchers believe that the 300 million files listed in the database allowed hackers to hack 300.000 to 350.000 Spotify accounts.
For users whose accounts were compromised, Spotify reset their passwords in July.
Spotify does not support multi-factor authentication, which would significantly increase account security, even though users have been asking for it for some time.
