Spotify resets 350,000 passwords involved in a data breach – Auth0 comments on the rise of credential stuffing attacks
November 2020 by Auth0
Researchers have found an unsecured internet-facing database containing over 380 million individual records, including login credentials that were used to break into 300,000 to 350,000 Spotify accounts. Spotify has since issued a rolling password reset to some user accounts. According to researchers, the origins of the database are unknown, but it does not belong to the music streaming service itself. Instead, the third-party that created the database may have collated the records from other sources — such as stolen data dumps or another platform — for later use to hijack user accounts.
Matias Woloski, CTO and Co-founder, Auth0, has made the following comments on the recent rise in credential stuffing attacks, and what organisations can do to mitigate the risk:
“At Auth0, we’re in a unique position as an aggregator of identity and login data, to see massive trends across our customer base. Today, roughly 67% of our authentication traffic is deemed suspicious, meaning, it looks like application fraud. The use of stolen credentials is one of the most common methods used in observed data breaches.
“Credential stuffing is when attackers take credentials that have been leaked in one data breach and try them en masse against other websites to find combinations that are reused, so they can take over user accounts. Attackers do this in an automated fashion, so that they can try thousands of credentials over time. It’s really a numbers game. If 0.01% of a massive list of credentials are reused on a second website, you can still take over a significant number of accounts.
“Most of the problems that enable credential stuffing attacks have been around for a long time. What’s really going to change is how we address these attacks, because they are going to become more imperative. We need to take mitigation techniques like MFA that introduce more friction and make them smarter. In an ideal world, a customer only encounters more friction occasionally when it’s more necessary. Instead of triggering MFA every time a user logs in, trigger it only when it makes sense. If you’re a UK company and most of your user base is in the UK or Europe, but you see huge spikes in traffic from Vietnam or Thailand, ask for additional verification.”