Credential stuffing attack targeted 300K+ Spotify users

Pierluigi Paganini November 24, 2020

Researchers uncovered a possible credential stuffing campaign that is targeting Spotify accounts using a database of 380 million login credentials.

Security experts from vpnMentor have uncovered a possible credential stuffing operation that affected some Spotify accounts. Threat actors behind the campaign are using a database containing over 380 million records, including login credentials and other data for Spotify accounts, likely amassed from various sources. Experts estimated that the number of impacted users ranges between 300,000 and 350,000.

“The origins of the database and how the fraudsters were targeting Spotify are both unknown. The hackers were possibly using login credentials stolen from another platform, app, or website and using them to access Spotify accounts.” reads the post published by vpnMentor.

“Working with Spotify, we confirmed that the database belonged to a group or individual using it to defraud Spotify and its users. We also helped the company isolate the issue and ensure its customers were safe from attack.”

Credential stuffing attacks involve botnets to try stolen login credentials usually obtained through phishing attacks and data breaches. This kind of attacks is very efficient due to the bad habit of users of reusing the same password over multiple services.

The database is 72 GB in size, it includes 380+ million records containing email addresses and login credentials (usernames and passwords), and whether the credentials could successfully login to a Spotify account.

The exposed data could expose users to multiple malicious activities, including identity theft & fraud, scams, phishing and malware attacks, and of course account abuse.

Below the timeline shared by the researchers:

Date discovered: July 3rd, 2020 (reviewed on July 9th)
Date Spotify contacted: July 9th, 2020
Date of Response: July 9th, 2020
Date of Action: Between July 10th and July 21st

Spotify announced that it is forcing the password reset for all the impacted users.

Let’s remind that Spotify does not support two-factor authentication for its users, this means hackers who have had access to the unsecured Elasticsearch DB discovered by vpnMentor may have had access to the Spotify accounts.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Spotify)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini July 08, 2025

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

Pierluigi Paganini July 08, 2025