![]() ![]() ![]() However, there’s more to think about, Diachenko noted: For those who do reuse passwords, a validated Spotify log-in combo can simply be used to infiltrate other, higher-value accounts. ![]() Setting up rogue playlists, deleting saved songs or straight-up hijacking the ability to listen to music are some of the potential headaches. On the surface, a cybercriminal being able to log into someone’s Spotify account would seem to be more of a nuisance than anything else. What Are the Dangers of Credential-Stuffing? “I suppose that login pairs came from previously reported breaches or collections of data, so they just re-use them against Spotify accounts to become part of this automated process,” Diachenko said. The data once again also was likely gleaned from prior breaches. “It contained entire logs of their operations, plus email/password pairs they used. “Originally this data was exposed inside a misconfigured (thus publicly reachable) Elasticsearch cluster – most likely operated by the malicious actors themselves,” he said. He told Threatpost via Twitter DM that the data sets were unique to this attack. “There are similarities but this one looks different, like coming from a rival group,” Diachenko tweeted. This second attack is very similar, with the log-in data also exposed in a public Elasticsearch instance. The database was owned by a malicious third party, researchers said at the time. In the first Spotify incident in November, researchers found a misconfigured and open Elasticsearch cloud database containing more than 380 million individual records, including login credentials and countries of residence for various people, all being actively being validated against Spotify accounts. The company also noted that the attacks were carried out using an ill-gotten set of data: “We worked to have the fraudulent database taken down by the ISP hosting it.” Cybercriminals Misconfigure the Cloud Too “Once we became aware of the situation, we issued password resets to all impacted users, which rendered the public credentials invalid.” “We recently protected some of our users against ,” the notice read. He also posted a Spotify statement on the incident that confirmed the attack. ![]() Researcher Bob Diachenko tweeted about the new Spotify attack on Thursday: “I have uncovered a malicious #Spotify logger database, with 100K+ account details (leaked elsewhere online) being misused and compromised as part of a credential stuffing attack.” Replay: A Second Credential-Stuffing Attack for Spotifyīack in November, cybercriminals attacked hundreds of thousands of Spotify users utilizing this approach, prompting the streaming music service to issue password-reset notices. Attackers simply build automated scripts that systematically try stolen IDs and passwords (either gleaned from a breach of another company or website, or purchased online) against various types of accounts.Ĭybercriminals have successfully leveraged the approach to steal data from various popular companies’ customers, including big names like the North Face, Dunkin Donuts (which was also hit twice in three months) and popular chicken-dinner chain Nando’s. And last year, FC Barcelona’s official Twitter account was hacked in an apparent credential-stuffing attack. The service has forced password resets for impacted users.Ĭybercriminals carrying out credential-stuffing take advantage of people who reuse the same passwords across multiple online accounts. Spotify streaming music aficionados are in the crosshairs of yet another credential-stuffing cyberattack, just three months after the last one. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |