Spotify resets 350,000 passwords after a data leak

Security researchers have found an unencrypted 72GB database online, containing more than 380 million passwords online, ZDNet reports. Noam Rotem and Ran Locar stumbled upon the database during a web mapping project. After investigating the situation the duo found out that the breach contains "login credentials and other user data being validated against the Spotify service."

The origins of the password records are unknown but Rotem and Locar think that the database was compiled from different sources, including stolen data dumps. The leaked data can be potentially used to hijack Spotify accounts that use the same passwords as other services - the attack is called “credential stuffing”.

"These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify," Rotem and Locar said.

The issue was discovered back in the Summer and reported to Spotify promptly. The music streaming service then initiated a password reset to more than 350,000 accounts to mitigate the risk of accounts being compromised and/or hijacked. It seems that the issue is resolved by now without complications but such leaks remind us once again not to use the same passwords with different services on the web.