Security researchers recently discovered a massive misconfigured Elasticsearch database that was being used by fraudsters to gain access to the accounts of up to 350,000 Spotify accounts by using login credentials stolen in other data breaches.
Security researchers Noam Rotem and Ran Locar from vpnMentor’s research team recently discovered a 72GB Elasticsearch database that contained "over 380 million records, including login credentials and other user data being validated against the Spotify service."
Working with Spotify, the researchers learned that the publicly-accessible database belonged to a team of fraudsters who were trying to defraud Spotify and its users. The fraudsters stored millions of login credentials obtained from other data breaches in the database and used the credentials to access between 300,000 and 350,000 user accounts.
Noting that the fraudsters were trying to use the credential-stuffing trick to gain access to the accounts of hundreds of thousands of its users, Spotify initiated a ‘rolling reset’ of passwords for all users affected so that the fraudsters could no longer use stolen credentials to access user accounts.
The trick used by fraudsters could have succeeded had the fraudsters secured the Elasticsearch database. However, the fraudsters failed to secure the database with a password, thanks to which it was discovered by vpnMentor’s research team in July.
Notwithstanding the error on part of fraudsters, the incident demonstrates how simple it can be for malicious actors to infiltrate people's online accounts by exploiting the fact that many people are still reusing the same password across multiple online accounts for the sake of convenience.
This is why, says Javvad Malik, security awareness advocate at KnowBe4, it's important that users understand the importance of choosing unique and strong passwords across their accounts and where available enable and use MFA. That way, even if an account is compromised, it won't be possible for attackers to use those credentials to breach other accounts.
According to Niamh Muldoon, OneLogin’s Senior Director of Trust and Security, this is a great example of why single authentication mechanisms are so weak. It can be hard for individuals to remember all the accounts they hold and to keep up-to-date with every data breach that is happening. Therefore, organisations should enable their end-users to be as security first and conscious as possible.
"An easy way for organisations to do this is by streamlining access via a single sign-on platform, securing their access via two-factor authentication to protect them against risks like the Spotify end-users experienced," she said.
This is certainly not the first time that hackers have employed credential stuffing to gain access to a large number of online accounts. In early 2019, fraudsters carried out credential-stuffing attacks to gain access to accounts of Deliveroo users and placed orders on their behalf, thereby inflicting losses of hundreds, sometimes thousands, of pounds to Deliveroo's customers.
In response, a Deliveroo spokesperson told The New Statesman that the company did protect customers' personal and financial data using encryption and hashing but the hijacking of customer accounts was not because of any flaws in its security but because customers used the same password for different accounts and fell victim to credential-stuffing attacks.