Spotify has reportedly begun resetting the passwords of up to 350,000 accounts that were breached as the result of a credential-stuffing attack. A company called vpnMentor, as found by ZDNet, says that it discovered a treasure trove of hacked account data available online.
Credential stuffing is the art of using data from one leak and using it to access otherwise secure accounts elsewhere. If you re-use your passwords, then if Site A is breached and hackers get hold of your email address and password, they can easily try them to access Site B.
After the leak had been reviewed, the research team contacted Spotify on the same day. Spotify responded, then took action between July 10 and July 21, 2020.
That involved resetting the passwords of up to 350,000 users. While that may be a drop in the ocean compared to Spotify’s 320 million monthly active users, it’s still a substantial amount of people.
The type of information contained within the database included email addresses, passwords, and countries of residence.
Server IP addresses were also included in the leak, though vpnMentor note that these are likely from proxy servers that the database was hosted on, rather than individual users.
As with all incidents of this type, it’s a good reminder to not re-use passwords, and make sure that you keep your passwords updated. If you don’t fancy doing that yourself, you can always avail yourself of a third-party password manager which also proactively warns you if your passwords show up in these sorts of databases. Spotify adds that users concerned about their privacy should head to a page with advice on how they can protect their account.