The data jam attack attracted around 300,000 Spotify accounts

A poorly acquired database of about 380,000 login credentials are a perfect reminder for the rest of us do not recycle our passwords.

According to to vpnMentor, the team that find her database, it was not at all the result of a violation on the part of Spotify. In fact, the origin of user data and how it was obtained stay unknown. But wherever it comes from, explains the blog, this login information has been subject to what is known like “credential stuffing“: a type of attack where a huge volume emails and passwords are introduced into various (usually popular) websites and apps many. If all accounts are intercepted using the same connection information between the site they came from and the one being loaded, the Pirates) can easily access the service in question—in this case, Spotify.

Between 300,000 and 350,000 Spotify accounts were compromised by this latest jam attack, with account usernames, passwords and emails exposed. Since this is not a social network prone to disinformation campaigns, and financial data has not been released, it might seem like a lot of work just to get Spotify’s premium paid tier for free. More likely, like CNET points out, the aim of the attack was to defraud Spotify itself rather than its users. With thousands of accounts at their disposal, these hackers could engage in a small “streaming manipulation, ”By calculating the number of times a particular song or artist is played. (Presumably, one could either sell this as a service to real artists looking for an illegitimate boost, or create garbage tracks and reap the streaming royalties themselves.)

We have reached out to Spotify to see if it will share details on the use of compromised accounts.

After notified of the breach last summer, Spotify – which to its credit responded the same day, according to vpn issued a “gradual reset” of the passwords involved – which, realistically, should be instituted for all users, permanently. I mean, good lord, tThe example cited by vpnMentor of such compromise account used the password “spotify.”” Now four months after sending these reset, information in these hackers the database should be effectively useless (on Spotify anyway.)

Where those credentials come from and whatever they are used for, this is a great time to take an hour or two over the long weekend and change your passwords. Enable multi-factor authentication where it is available. Do not recycle them between sites.

It’s important to keep your information safe – something I imagine the hackers involved in this little ordeal remembered when their stolen connections became useless. According to vpnMentor, insist on theirs:

Our team was able to access this database because it was neither secure nor encrypted.