Spotify has reportedly begun resetting the passwords of up to 350,000 accounts that were breached as the result of a credential-stuffing attack. A company called vpnMentor, as found by ZDNet, says that it discovered a treasure trove of hacked account data available online. This information was used by some nefarious types to gain access to the streaming music platform and generally cause havoc. ZDNet says that the company has now begun the password update process.
Credential stuffing is the art of using data from one leak and using it to access otherwise secure accounts elsewhere. If you re-use your passwords, then if Site A is breached and hackers get hold of your email address and password, they can easily try them to access Site B. vpnMentor said that it found the cache of third-party data in July, and it notified Spotify on July 9th, at which point the streaming platform took action. It’s worth saying that Spotify itself was not breached, but that the login details were aggregated from other hacks.