For 320 million Spotify users around the world, December kicked off with some fun statistics in Wrapped, the streaming service’s yearly review: Most streamed artist, most played song, top podcasts... But it’s 2020, "the Year to Forget", and no parade can go on for long without some rain. During Spotify’s Wrapped 2020, the most popular streaming service in the world suffered a pretty wild security breach that targeted both popular musicians and their music labels.
The hacker, an avid Taylor Swift fan it seems, bypassed protections on a password-protected Spotify site called Spotify for Artists, and seized famous pop star pages such as Dua Lipa, Lana Del Rey, and Future. "Daniel", the attacker called himself, used the commandeered pages to ask millions of followers to follow him on Snapchat, adding messages in support of Donald Trump and Taylor Swift, such as “Trump 2020” and “Best of all shout out to my queen Taylor Swift” (TAKE THAT Kanye West?).
(Photo courtesy of threatpost)
This isn't the first time Spotify users have been on the receiving end of a security lump of coal this holiday season. Just two weeks ago attackers deployed what looked like a credential-stuffing operation, affecting between 300,000 and 350,000 Spotify users in total. A credential-stuffing attack takes advantage of people that reuse passwords across multiple platforms (Tsk-tsk). In this case, credentials from an open Elasticsearch database containing more than 380 million records, including login credentials, were being checked against Spotify accounts, as spotted by vpnMentor’s research team.
We encourage Spotify users who have reused their Spofity password on other platforms to reset their passwords immediately, and to refrain from reusing the same password on multiple platforms -it's a security bad habit that should quickly go away, just like 2020.