Select Page

Have you noticed your Spotify account requesting new credentials earlier this month?

If you did, then it’s because the company is doing it (impulsing a password reset) after some issues on an open database were discovered.

Researchers Noam Roten and Ran Locar made public what they found while working on a web mapping project. What did they find, exactly?


Everything About The Spotify Login Credentials Reset

As you can imagine, the database of Spotify contained personal, user credentials. 380 million records (including login credentials) within 72 GB of the database.

Although different from what you might have thought, the source of such leaked database is unknown – it doesn’t belong to the Spotify service itself.  

It’s believed that only a third-party could have “collated” all these records from different sources, as data dumps. All of these credentials can be used to hijack accounts with password stuffing. But the way bad actors came into possession of them remains a mystery.

In the words of both Rotem and Locar:

“These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify.”


There’s a high chance that all these credentials were acquired directly from vendors on hacker forums or even the Dark Web. Still, that would need a great investment (time and money) to collect and exploit a database of this size.

Cybercriminals surely know that their investment can be fraudulently earned back, easily.

Being said: unfortunately, most of the Spotify accounts included were successfully impacted.

Besides their usernames and passwords, hackers also got access to email addresses and country of residence. This is the kind of personally identifiable information that anyone with some penetration expertise could use to get into social media profiles and bank accounts.

The information was not encrypted. As a result, these records could be used to access and take over accounts, as well as perform credential-stuffing attacks should the password and email combinations be used on other platforms or to access other applications. 

The good news is: this is only a small fraction of the total monthly active user base (299 million). Spotify tried to keep up and react timely by initiating an automating password reset for all users that got affected on the heist. Here’s where the story connects: Do you got it?

If you didn’t, but have still seen any recent signs of account penetration, you can follow the procedure to reset your password anyway. 

vpnMentor was the one behind this discovery. It happened a while ago but was publicly announced recently when they contacted the company to review the case (which they did).

Many points were criticized here, which I guess they’ll work hard to improve it all: Some have alerted that such username and password reset is useless after the damage was done.

Others raise their voice asking for Multi-factor authentication, which hasn’t be enabled or even inserted into the platform – and probably won’t until 2021.

We have talked about its importance very often, even to the point of dedicating a sole post to it in the past. 

After all, a large sum of Spotify users neglects their password strength, which leads to many types of account breaches. 

Being said, what would you do if your bank account or your business’ database got leaked, instead of your account from the music streaming service?

Now, that would make a huge difference, isn’t it?

Would you dedicate more time (even money) to protect what you hard-earned?

The answer probably is “Yes, I would.” If that’s correct, then I invite you to request a quote from our team of cybersecurity experts.

But if the answer is “No”, then the only thing left is to wish you luck and the very best.