Music streaming service Spotify has launched a rolling password reset of some consumer accounts after an open database containing credentials of some users were uncovered, said a report.
VPN review website vpnMentor on Monday said that its research team led by Noam Rotem and Ran Locar, discovered a possible credential stuffing operation whose origins are unknown, but that affected some online users who also have Spotify accounts.
Credential stuffing is a hacking technique that takes advantage of weak passwords that consumers use — and often re-use — online.
“We unearthed an Elasticsearch database containing over 380 million records, including login credentials and other user data being validated against the Spotify service,” vpnMentor said in a blog post.
“The origins of the database and how the fraudsters were targeting Spotify are both unknown. The hackers were possibly using login credentials stolen from another platform, app, or website and using them to access Spotify accounts,” it added.
“These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify,” Rotem and Locar said.
It is estimated that roughly 300,000 to 350,000 accounts were affected in the leak in which email addresses and login credentials – usernames and passwords – were exposed.
The leaked data only relates to a tiny fraction of Spotify’s 299 million active monthly user base, ZDNet reported on Tuesday.
vpnMentor unearthed the database on July 3. After a review of the database, it contacted Spotify on July 9.
Between July 10 and July 21, Spotify launched a rolling reset of passwords for the users identified in the database in order to make sure the password and username combinations would become useless, at least on the Spotify platform, said the report.