Leaked Spotify passwords may expose your business to credential stuffing attacks
This past year has been tough for most enterprises. While some industries appear more targeted than others by malicious actors, the media and entertainment industry has definitely felt the consequences, not only of pandemic-generated event cancellations, but also of increasing attacks against their sector. In 2018 and 2019, for instance, the industry witnessed 17 billion credential stuffing attacks, about 20% out of the total number of attacks at the global level.
The most recent to have fallen victim to a security incident is Spotify. The popular entertainment platform recently had to automatically reset its users’ passwords, after account registration information was leaked to third-party business partners. According to the data breach notice published on December 9, the vulnerability was detected in early November, but the compromise is believed to date back to April 2020.
Even though Spotify reached out to third-parties and asked for the data to be deleted, the information was still exposed and potentially abused for over six months. The company has assured customers that, to the best of their knowledge, there was no unauthorized use of the data. The information included emails, gender, usernames, passwords, and dates of birth.
An immediate reset of credentials was mandatory, because users unfortunately rarely abide by security best practices. A study conducted by Carnegie Mellon found that people who fell victim to data breaches rarely chose stronger or unique passwords after being notified.
This means that if they were to leak, the compromised passwords might be reused to take over other accounts for banking, email, and government services. Credential stuffing attacks exploit password reuse and take advantage of the lack of multi-factor authentication. The FBI has found that between 2017 and 2020, 41% of cyberattacks against financial institutions were generated by credential stuffing.
Premium streaming accounts in high demand on the dark web
Why is Spotify falling behind on security? This year alone the company has dealt with three cyber incidents involving a hacktivist group that discredited a few artist pages and, most worrying, an unsecured cloud database. The database was hosted on an Elasticsearch server and contained 72GB of customer information. Not only were some of these leaked credentials used in a credential stuffing campaign, as the company confirmed, but Flare Systems’ threat intelligence team detected an abundance of Spotify premium accounts for sale on multiple dark web marketplaces.
One of the latest investigations has revealed that in November and December, premium streaming accounts with lifetime warranty were in high demand on the dark web at low prices. Spotify, Netflix, Amazon Prime, Hulu, and Disney+ appear to be the most accessible for scammers to compromise and resell. Additionally, user credentials and personally identifiable information (PII) may have been posted on multiple darknet forums for anyone to purchase.
Unfortunately, it is often the case that enterprise employees reuse work credentials for other personal and business accounts online. Convenience is to blame in most situations, yet this explains why there are countless databases for sale on the dark web containing business credentials and information.
At any given time, your organization could be the victim of credential stuffing attacks, likely due to an overall lack of password hygiene and missing multi-factor authentication. Malicious actors often leverage automation and botnets to infiltrate corporate networks, a practice likely to expand given the increasing remote workforce. Once they gain access to your infrastructure through leaked credentials, cyber criminals can install backdoors to take over endpoint devices, exfiltrate confidential data, and even inject malicious software to manipulate vulnerabilities.