Researchers were recently able to gain access to over 300,000 Spotify accounts after a hacked database leak. But that’s just the latest break-in impacting millions of Spotify users.
According to details shared this afternoon, the leaked database contains over 380 million records, including login credentials for Spotify accounts. The information is being sold and bartered on the dark web, with many accounts going for as low as $1. Researchers recently used the database to crack into more than 300,000 accounts.
Sadly, this is nothing new, with hundreds of people on Twitter often complaining about their Spotify account being hacked. The reality is that many people reuse their passwords, which leaves them open to these types of credential stuffing attacks.
Each record in the database contains a login name, email address, a password, and if the combo is successful or not. The huge database is likely a collection of smaller leaks, aggregated into one giant database for anyone to access. In reaction to the threat, Spotify issued a ‘rolling reset’ of passwords for all users found in the database back in July.
But even today, people are still complaining about their Spotify accounts being hacked.
Part of the problem can be laid directly at Spotify’s feet. It is one of the only major music services that does not support two-factor authentication (2FA). Google, Apple, and Amazon all support 2FA on their accounts, granting an extra layer of security.
Requiring an additional code delivered to the users’ device also alerts them that something isn’t kosher – someone is trying to sign in. The first step the user can take is to change their own password to thwart the attack. Until Spotify gets with the times and offers some form of 2FA for its service, this kind of thing will continue to happen.
People have been petitioning Spotify for years to add two-factor authentication to the platform. But the features Spotify chooses to adopt from its community forums have always been strange choices. For example, Spotify still lacks a coherent podcast interface – despite spending $500 million on acquisitions.
The latest attack suggests that Spotify can’t be bothered to care about better security when the hackers will sell your account for $1 and get more eyeballs on those ads. The only way something will change is for the music industry to tackle those hacked accounts as a form of piracy.