Spotify resets up to 350,000 passwords linked to third-party data leak

Researchers found Spotify was being used for credential-stuffing attacks.

Sponsored Links

Man typing at his laptop computer at night
Westend61 via Getty Images

Spotify has reportedly begun resetting the passwords of up to 350,000 accounts that were breached as the result of a credential-stuffing attack. A company called vpnMentor, as found by ZDNet, says that it discovered a treasure trove of hacked account data available online. This information was used by some nefarious types to gain access to the streaming music platform and generally cause havoc. ZDNet says that the company has now begun the password update process.

Credential stuffing is the art of using data from one leak and using it to access otherwise secure accounts elsewhere. If you re-use your passwords, then if Site A is breached and hackers get hold of your email address and password, they can easily try them to access Site B. vpnMentor said that it found the cache of third-party data in July, and it notified Spotify on July 9th, at which point the streaming platform took action. It’s worth saying that Spotify itself was not breached, but that the login details were aggregated from other hacks.

As with all incidents of this type, it’s a good reminder to not re-use passwords, and make sure that you keep your passwords updated. If you don’t fancy doing that yourself, you can always avail yourself of a third-party password manager like LastPass, which also proactively warns you if your passwords show up in these sorts of databases. Spotify adds that users concerned about their privacy should head to a page with advice on how they can protect their account.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget