Spotify resets 350,000 passwords after a data leak
The origins of the password records are unknown but Rotem and Locar think that the database was compiled from different sources, including stolen data dumps. The leaked data can be potentially used to hijack Spotify accounts that use the same passwords as other services - the attack is called “credential stuffing”.
"These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify," Rotem and Locar said.
The issue was discovered back in the Summer and reported to Spotify promptly. The music streaming service then initiated a password reset to more than 350,000 accounts to mitigate the risk of accounts being compromised and/or hijacked. It seems that the issue is resolved by now without complications but such leaks remind us once again not to use the same passwords with different services on the web.