Spotify has issued a rolling password reset of some user accounts following the discovery of an open database containing user credentials.<\/p>\n
This week, vpnMentor researchers Noam Rotem and Ran Locar made their findings public, in which an open Elasticsearch database was found during the firm’s web mapping project.<\/p>\n
The 72GB database contained over 380 million records, “including login credentials and other user data being validated against the Spotify service,” the team said.<\/p>\n
See also: Unsecured database exposes 85GB in security logs of major hotel chains<\/p>\n
According to vpnMentor, the origins of the database are unknown, but it does not belong to the music streaming service itself. Instead, the third-party that created the database may have collated the records from other sources — such as stolen data dumps or another platform — for later use to hijack user accounts.<\/p>\n
“These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify,” Rotem and Locar said.<\/p>\n
Some, but not all, Spotify users have been impacted. It is estimated that roughly 300,000 to 350,000 accounts were embroiled in the leak, in which email addresses, Personally Identifiable Information (PII), countries of residence, and login credentials — both usernames and passwords — were available to view.<\/p>\n