Hackers who stole 350,000 Spotify passwords stored them on a cloud server without a password. The hackers access the passwords using a cache of login credentials stolen from other data breaches, as all of the the users who had their Spotify passwords stolen were reusing the same password acorss multiple accounts- the biggest error of password security.
The hackers who stole the passwords then fell victim to a similar security faux pas, as they saved the passwords on an unsecure cloud database. This meant that anyone with a web browser was able to see the data base without needing a password to access it.
Hicham Bouali EMEA presales engineer at One Identity, clarified that the data breach was not on Spotify’s end: “Here, attackers just managed to find out that a stolen database (coming from somewhere else) with the combination of Username/Password could be verified against Spotify via credential stuffing.”
As users very often juggle lazily with the same password for their different online accounts, cybercriminals use Botnets, computer bots, to test thousands of combinations of IDs and passwords on well-known services. To prevent this type of attack, or any Password related attack (brute Force, Password Spraying…etc.), the best solution is implementing multifactor authentication wherever possible.”
Chris Clements, vice president of solutions architecture at cybersecurity software company Cerberus Cyber Sentinel, however, explained that not all the blame should be on those who lack in creativity: “It’s easy to blame users for poor password hygiene, but the reality is that it’s very difficult to choose a single strong password. Even harder is to do so for every online account they might have and then keep up with them all.”
For this reason, Clement advises users to rely on password managers: “Password managers do a great job at alleviating this problem, but the free ones built in to mobile devices or web browsers can present a problem for users if they need to log into an account from a different type of device, for example the built-in Apple Keychain password manager works great on iPhones or Mac computers but not on Microsoft Windows PCs. Third party password managers can solve this problem, but often require a subscription for use. There are a few that offer free tiers as well as open source options such as Bitwarden that offer good solutions.”