Hackers who compiled a database of as many as 350,000 Spotify passwords proceeded to store it on a cloud server … without a password. The breach also offers a reminder of a key principle to apply when choosing passwords for your account …
Don’t use the same passwords for multiple accounts.
CNET reports that the passwords were identified by credential-stuffing.
A group of hackers didn’t have to breach Spotify’s systems to access as many as 350,000 accounts on the music-streaming service. All it took was a cache of login credentials stolen in other data breaches, and some patience.
The hackers were successful because Spotify account holders were reusing passwords from other accounts they had, a basic security mistake. The hackers just had to try the combinations on Spotify and look for matches, a technique known as credential stuffing.
The simplicity of that technique doesn’t require genius, something the hackers proved by committing their own security blunder. The gang of criminal nonmasterminds exposed their own operation by storing the records on an unsecured cloud database. That meant anyone with a web browser could see the data without needing a password.
Security researchers Ran Locar and Noam Rotem found the exposed records as part of a project that scans the internet for unsecured data. The researchers, who ask for unsecured data they find to be removed or locked down, published their findings with security website vpnMentor on Monday.
Re-using the same password for multiple websites and apps is one of the riskiest things you can do, because it means your logins are only as secure as the least-secure or most careless service you use. If that service is hacked, then attackers will simply try the stolen credentials on a whole bunch of other platforms. With one hack, they can access every service you use with the same password.
A password manager is the simplest way to safeguard your privacy, allowing you to use unique, strong passwords for every platform. Safari has a built-in password manager and will auto-suggest unique passwords for each site, but commercial ones like 1Password and LastPass offer greater flexibility, working across browsers.