Security researcher vpnMentor found the database, hosted on a completely unsecured Elasticsearch server, according to InfoSecurity magazine. With the data leak, it is apparent that some Spotify users have been impacted. It is estimated that roughly 300,000 to 350,000 accounts were embroiled in the leak, in which email addresses, Personally Identifiable Information (PII), countries of residence, and login credentials — both usernames and passwords — were available to view.
Hackers are becoming increasingly sophisticated in taking such data and mining preferences and behaviors to undertake activities such as predicting hot-button issues and determining what shapes social and political behaviour.
The information was not encrypted. According to researchers, the origins of the database are unknown, but it does not belong to the music streaming service itself. Instead, the third-party that created the database may have collated the records from other sources — such as stolen data dumps or another platform — for later use to hijack user accounts.
When experiencing such attacks, it is always important that users should ensure they use unique passwords for every site and service to keep their information safe.
Looking into the issue is Keith Neilson, Technical Evangelist, CloudSphere.
Neilson explains why the information loss was important: “An exposed database will often result in sensitive information being used by threat actors for nefarious purposes. Unfortunately, threat actors are believed to have collected information and created this database with over 380 million records. Without awareness in the cloud environment, any unnoticed change or update in policy risks customer data.”
In terms of preventative actions, Neilson says: “To minimize the attack surface and prevent hackers from abusing personal data, businesses should invest in a platform with complete visibility into the cloud environment and real-time security posture monitoring to minimize the cloud attack surface and ensure data does not end up in the wrong hands. With the ability to remediate gaps in security in real-time, businesses can operate without fear of putting customer data in jeopardy.”
