Skip to main content

Hackers stored Spotify passwords on cloud database … without a password

Hackers who compiled a database of as many as 350,000 Spotify passwords proceeded to store it on a cloud server … without a password. The breach also offers a reminder of a key principle to apply when choosing passwords for your account …

Don’t use the same passwords for multiple accounts.

CNET reports that the passwords were identified by credential-stuffing.

A group of hackers didn’t have to breach Spotify’s systems to access as many as 350,000 accounts on the music-streaming service. All it took was a cache of login credentials stolen in other data breaches, and some patience.

The hackers were successful because Spotify account holders were reusing passwords from other accounts they had, a basic security mistake. The hackers just had to try the combinations on Spotify and look for matches, a technique known as credential stuffing.

The simplicity of that technique doesn’t require genius, something the hackers proved by committing their own security blunder. The gang of criminal nonmasterminds exposed their own operation by storing the records on an unsecured cloud database. That meant anyone with a web browser could see the data without needing a password.

Security researchers Ran Locar and Noam Rotem found the exposed records as part of a project that scans the internet for unsecured data. The researchers, who ask for unsecured data they find to be removed or locked down, published their findings with security website vpnMentor on Monday.

Re-using the same password for multiple websites and apps is one of the riskiest things you can do, because it means your logins are only as secure as the least-secure or most careless service you use. If that service is hacked, then attackers will simply try the stolen credentials on a whole bunch of other platforms. With one hack, they can access every service you use with the same password.

A password manager is the simplest way to safeguard your privacy, allowing you to use unique, strong passwords for every platform. Safari has a built-in password manager and will auto-suggest unique passwords for each site, but commercial ones like 1Password and LastPass offer greater flexibility, working across browsers.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear