New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Spotify Suffers Second Credential Stuffing Attack Since November

Spotify was hit yet again with another credential stuffing attack; this is the second attack the music streaming giant has suffered since November. Taking advantage of reused passwords that were revealed in unrelated third-party data breaches, the bad actors were able to log-in to Spotify user accounts and could have possibly accessed information such as credit card information or email and physical addresses. Successful login attempts could also have simply been used as a validation method in an attempt to use the credentials on other more valuable accounts. However, more than 100,000 Spotify users could face complete account takeover. Researcher Bob Diachenko broke the news yesterday stating, “I have uncovered a malicious #Spotify logger database, with 100K+ account details (leaked elsewhere online) being misused and compromised as part of a credential stuffing attack.” He also mentioned that it looks like the attack carried out in November and the attack carried out more recently were done by two different groups due to the data sets being unique.

Analyst Notes

It is important to highlight how severe it could be if passwords are reused on multiple sites, and especially if employees use their work email to sign up for third party services and use the same or a similar password as they use to remotely log in to their corporate account. Attacks like these are carried out on almost a daily basis and if user passwords are the same on multiple sites it just makes it easier for threat actors to get what they want. Binary Defense Counterintelligence services monitor for threats including leaked passwords on Darknet and criminal forums on behalf of our clients. To best protect accounts from unauthorized access when passwords are stolen, multi-factor authentication (MFA) should be enabled on any site that offers that option, and MFA through approved authenticator apps (not SMS or phone calls) should be required to access corporate accounts.