For the third time in just a short period during 2020, Spotify has experienced a data breach. In a breach notice letter dated Dec. 9, 2020, Spotify — the popular music and podcast streaming service — detailed how its network was compromised. The notice states the following on that issue:
On Thursday November 12th, Spotify discovered a vulnerability in our system that inadvertently exposed your Spotify account registration information, which may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify. Spotify did not make this information publicly accessible. We estimate that this vulnerability existed as of April 9, 2020, until we discovered it on November 12, 2020, when we took immediate steps to correct it.
Spotify ensures readers of the notice that they are conducting an investigation on how the data breach occurred and are also making sure that any third-party partners in possession of this data delete it immediately. At the moment, there have been no suspicious incidents reported, but this can always be subject to change. Many malicious actors gain access to data they use in phishing, credential stuffing, and other common attacks via accidental leaking of personal data.
This is why Spotify is requiring its users to change their passwords out of an abundance of caution. When changing passwords, try not to recycle the same passwords you use on other accounts. As mentioned earlier, credential stuffing is an incredibly popular form of brute-forcing for cybercriminals. As many individuals discover, whether an executive in a mega-corporation or an average Joe at home, password reuse can open the door to a world of hurt.
In an interview with Becky Bracken of Kaspersky’s Threatpost regarding this incident, Akamai researcher Steve Ragan said, “Hackers are very attracted to the high profile and value of online streaming services... Password-sharing and recycling are easily the two largest contributing factors in credential-stuffing attacks.” Based on this information, it is very possible that Spotify and other services like it can expect more severe incidents in the future.
Practicing good security hygiene is the best way for you to protect yourself if you must use these services.
Featured image: Flickr