Up to 350,000 Spotify accounts have been targeted by hackers and cracked using reused or weak passwords, security researchers at Israeli website VPNMentor have revealed.

While the music streaming service itself has not been hacked, the researchers found an unprotected online database containing approximately 380 million personal records/ These were likely stolen in an old data breach or phishing attack and are not directly related to Spotify. However, they provide hackers with a large amount of passwords and credentials to conduct cyber attacks.

The database owner used the records to launch a "credential stuffing" attack that tried passwords, usernames, and email addresses (Spotify can use either) to access accounts for multiple online services.

Spotify was informed of the situation by VPNMentor researchers in early July and immediately forced all affected users to reset their passwords.

However, these users are still susceptible to credential-stuffing attacks on other services where their old Spotify passwords were reused.

If you are a Spotify user and have used the same credential set (password and username and/or email address) on other accounts, you should change the passwords on those accounts immediately.

Be sure to make your new passwords long, strong, and unique. We recommend using the best password manager to create and manage your new passwords.

You should also plead with Spotify to offer two-factor authentication (2FA) as a security option to prevent exactly this kind of account takeover.

Without a "second" factor, such as a text code, an app-generated code, a specific smartphone, or a physical security key, an attacker cannot break into your account even with a password. Most well-known online services already offer 2FA, and it is time for Spotify to join them.

Spotify users in the database could also fall victim to phishing attacks and identity theft, VPNMentor researchers warn.

"Fraudsters could use the emails and names published by the leak to identify users on other platforms and social media accounts."

"Scammers may also use contact information to directly target users exposed by phishing emails, tricking them into providing sensitive data such as credit card information or forcing them to click on fake links with embedded malware.

Of course, this is true every time a major data breach occurs and personal information is compromised. Virtually everyone who has ever had an online account has had something exposed; you can check your email address and password at a (safe to use) site called HaveIBeenPwned.

Credential stuffing generally works only because most people use the same password for multiple accounts or use simple, common passwords that can be easily guessed. [If the password, username, and/or email address linked to one of these accounts is exposed in a data breach or phishing attack, all accounts using those credentials can be accessed, no matter how strong the password. credentials, no matter how strong the passwords are.

Credential stuffing is not really hacking because the attacker already has the "key" and is using the login software as designed. Instead, using the same set of keys for multiple accounts makes it easier for the attacker.

Reusing passwords is like having one key for your house, car, office, and home safe. Using the top 10,000 or so most commonly used passwords is like having a blank key. Either way, if someone gets a copy of that key, you're done.