Software bug in Spotify accidentally exposes user data to business partners

Hey, guys! How are y’all doing? All good, I hope :)

I’m sure most of you guys who are reading this blog are Spotify users or at least, have heard of the world’s most popular streaming service. The service which always delivers good music is now, unfortunately, delivering unpleasant news to all its users due to a security bug. 

This is the third breach in the past few weeks for Spotify.

The price users had to pay for this vulnerability is the exposure of their personal data such as email addresses, preferred display names, passwords, gender and dates of birth. 

                    

Tell me more about the vulnerability

On 9th December 2020, Spotify put up a notice of data breach to alert all of their users that some of their Spotify account registration data was inadvertently exposed to some of Spotify’s business partners. Spotify says this data may include email address, preferred display name, password, gender, and date of birth. 

According to Spotify’s statement, this vulnerability has existed from 9th April 2020 until it was discovered on 12th November 2020, when they immediately tended to it. Though Spotify assures users that they have no reason to believe that any unauthorized use of users’ personal information has or will occur, they do encourage Spotify users to immediately change the passwords of all other online accounts for which users have used the same email address and password. 

Okay, what’s Spotify doing about this vulnerability? 

This is the excerpt from Spotify’s statement regarding how they plan to deal with this situation:

“We take any loss of personal information very seriously and are taking steps to help protect you and your personal information. We have conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted. We also reset your Spotify password to help keep your account secure.”

Other Spotify breaches

Just a few days before Spotify released the notice of data breach, there was a breach in which popular artists’ Spotify accounts were taken over by a hacker who goes by the name “Daniel”. The hacker took over the singers’ biography pages on the streaming platform and replaced their official information with images of himself. Some of the affected artists are Dua Lipa, Lana Del Ray, Pop Smoke, and Future. 

“Daniel”, who appears to be Taylor Swift’s fan, has also included the message “Trump 2020” and “Best of all shout out to my queen Taylor Swift” as well as requests for users to follow him on Snapchat. Below are screenshots of some of the affected profiles.  

                                     

Figure 1: Account takeover of Lana Del Ray’s Spotify account

                                        

Figure 2: SnapChat QR code of hacker “Daniel”

                        

Figure 3: Another place that has the hacker’s SnapChat QR code

                          

Figure 4: Another screenshot of artist Lana Del Ray’s Spotify account takeover

Although it’s still unclear how “Daniel” got the access to create havoc, the singers’ biography pages have since been rectified by Spotify. 

In a separate incident in late November 2020, subscribers of Spotify faced disruption due to a credential-stuffing** operation. vpnMentor’s research team spotted an open and vulnerable Elasticsearch database that contained more than 380 million individual records. These records included login credentials and other user data, actively being validated against Spotify accounts. The database in question contained over 72 GB of data, including account usernames and passwords verified on Spotify, email addresses, and countries of residence.

This is what vpnMentor had to say: 

“The exposed database belonged to a third party that was using it to store Spotify login credentials. These credentials were most likely obtained illegally or potentially leaked from other sources. Working with Spotify, we confirmed that the database belonged to a group or individual using it to defraud Spotify and its users.”

 

To address this issue, Spotify initiated a rolling reset of passwords, making the information in the database relatively useless. According to vpnMentor, the attacks ultimately affected between 300,000 and 350,000 music-streamers, which is a small fraction of the company’s user base of 299 million active monthly users.

Glossary

Credential-stuffing attack is where hackers take advantage of people who reuse the same passwords across multiple online accounts. Attackers will use IDs and passwords stolen from another source, such as a breach of another company or website, that they then try to use to gain unauthorized access to other accounts, trying the stolen logins against various accounts using automated scripts.







That’s it for today’s blog, y’all! Feel free to drop comments and share this blog if you found it interesting.

Stay safe and stay tuned.

Until next time, friends!

Credits: Threatpost & NME

Add comment