Spotify is providing support to sequentially reset user passwords after receiving reports that 380 million databases used in leaked cyber attacks contain user login credentials and other information.
The leaked information includes Spotify user information, but Spotify itself is not hacked. This information was leaked from another service. This information was discovered by an information security company called vpnMentor.
The discovered information is used for credential stuffing, that is, an attack that randomly assigns login information such as ID and password leaked from other places to other websites or apps. If a user of site A whose information has been leaked uses the same name and password combination on site B, a hacker can attack and infiltrate both sites.
VPN Mentor contacted Spotify a few days later after discovering a database of unknown sources in July and confirming that it contained Spotify user information. It is said that this information included email addresses or personal information containing 300,000 to 350,000 accounts, nationality, user email and password. Since such data is not encrypted, users included in this database can be exploited to gain unauthorized access to other services by stealing accounts or leaking usernames and passwords.
Spotify is preparing a page with advice on how to protect accounts for users who are concerned about how to properly protect their account information. Related information can be found here .