Spotify was hit yet again with another credential stuffing attack; this is the second attack the music streaming giant has suffered since November. Taking advantage of reused passwords that were revealed in unrelated third-party data breaches, the bad actors were able to log-in to Spotify user accounts and could have possibly accessed information such as credit card information or email and physical addresses. Successful login attempts could also have simply been used as a validation method in an attempt to use the credentials on other more valuable accounts. However, more than 100,000 Spotify users could face complete account takeover. Researcher Bob Diachenko broke the news yesterday stating, “I have uncovered a malicious #Spotify logger database, with 100K+ account details (leaked elsewhere online) being misused and compromised as part of a credential stuffing attack.” He also mentioned that it looks like the attack carried out in November and the attack carried out more recently were done by two different groups due to the data sets being unique.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is