Led by Noam Rotem and Ran Locar, the vpnMentor research team discovered a 72GB file freely available on the Internet containing the credentials of 350,000 Spotify accounts. They include more than 47,000 French users.
A database for boosting streams in Spotify
This is an important discovery by the vpnMentor teams: 350,000 Spotify accounts were “hacked” in order to artificially increase the number of playbacks of certain songs from the streaming platform. But for what purpose? Two scenarios are possible: In the first case, it is real artists who have paid hackers to increase the number of their streams and thus receive a larger percentage from Spotify. In the second case, the hackers themselves put “fake” music online on the platform and inflated their statistics to directly touch a percentage paid by the streaming service.
In the same category
The FBI accuses six Russian hackers of being behind MacronLeaks
Spotify, which became aware of this error last summer, reacted quickly by resetting the affected passwords.
It is believed that the users themselves are responsible for this leak
The question arises: is Spotify responsible for this massive leak? Well, probably not. If the origin of this leak is not yet confirmed at this point in time, vnpMentor’s researchers believe that the only culprits would actually be the users themselves. In order to be able to access these Spotify accounts, the hackers would have resorted to the “credential stuffing” method, which initially consists in restoring random lists of poorly secured IDs and passwords directly in DarkWeb. .
From these files they would have started a robot that was tasked with synchronizing data with Spotify accounts … and it worked. In fact, many internet users still too often use the same ID and password for different internet accounts. A result that Nordpass has already found in the ranking of the worst passwords of 2020.
Fortunately, this leak shouldn’t have too significant direct consequences for users as only usernames and passwords were uploaded. They would have been spared the bank details. More fear than harm! However, this case is again an opportunity to remind users that it is imperative to use a unique and sufficiently secure password for every account created on the Internet.