350,000 Spotify Passwords Stolen, Left in an Unprotected Database
A group of bad actors stored around 350,000 illegally obtained Spotify account passwords on a server without encryption or any sort of protection. The data was not procured in a breach of Spotify's user databases but through credential stuffing instead.
The principle of credential stuffing relies on people reusing their passwords across different websites or services. This is exactly how the hacker group in question got their hands on those 350,000 Spotify passwords. The bad actors used multiple password leaks and started mixing and matching those previously leaked passwords with Spotify accounts until they found working matches.
However, the bad actors also thought it was a good idea to store the illegally obtained passwords on a server without any sort of protection. This allowed security researchers that are sweeping the web for unsecured databases to spot and identify the password dump.
This incident serves to once again underline the importance of never reusing your passwords across devices, websites or services. The convenience that seems to come with password reuse is never worth the danger of one of those services being breached or leaking your password and bad actors then being able to use it to access your other accounts.
Credential stuffing allows hackers to gain access to accounts you may consider secure, as the service or site in question never suffered a data breach. However, a leak from one location with a reused password can potentially allow hackers to compromise all your other accounts that share the same password string.
A password manager can help maintain diverse and complex passwords for each separate account. The software can not only maintain your password database but also offer you suggestions on how to come up with strong passwords or diversify your favorite and easily remembered password string into something that is more secure.