Author: Melodie Foster

Date: 25th November 2020


Spotify was reportedly affected by a “credential stuffing” attack which could allow hackers to gain access to accounts, there are approximately 300 thousand Spotify accounts at risk.

vpnMentor found that an Elasticsearch database with 380 million records were being used to try and get into Spotify accounts. The Elasticsearch database contained 72GB of Spotify user data, this includes usernames, emails, addresses, passwords and a note explaining if the information would allow access to an account.

vpnMentor mentioned the database was “completely unsecured and unencrypted” which could suggest that the database was compiled from major data breaches. The team were able to access the information via browser “manipulating the URL search criteria into exposing schemata from a single index at any time”.

The researchers contacted Spotify about the Elasticsearch database on July 9th and received a response the same day. They said, “Spotify initiated a ‘rolling reset’ of passwords for all users affected.” Which would result in the information on the database becoming useless. Furthermore, the attack only affected between 300,000 and 350,000 users out of the 299 million active monthly users[1].



Other resources

Cyberfort Colocation Services

Cyberfort has invested heavily in secure infrastructure, making us the perfect colocation service provider to host your mission-critical, sensitive and regulated data.
Find out more >

What can Cyberfort do for you?

Check out our factsheets for detailed information on the matrix of cybersecurity products and services we offer to protect your business.
Find out more >

Cyberfort Deep Dives

Cyberfort’s cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >