Spotify hackers exposed themselves to hacking, stolen data left open

By Ewdison Then/Nov. 23, 2020 8:13 pm EST

Hollywood has given us a lot of preconceived notions of hackers to the point that most will imagine them as anti-social geniuses working in dark corners of their room while they traverse the dark sectors of the Web. In truth, not all hackers may be sophisticated and sometimes it just requires some basic knowledge and a lot of patience to reap the rewards. Like in the case of a recent Spotify data breach where the hackers ended up being guilty of the same lax security practices as their victims.

Spotify's systems weren't broken into in the normal sense of the word, with hackers exploiting bugs in order to gain elevated privileges into the computers. The hackers instead used brute force, reusing credentials leaked from other hacking incidents to see if there was a matching account on Spotify. Thanks to the all too human habit of reusing passwords, they got away with as many as 350,000 user data records.

Things then take a turn that is both amusing but also frightening. The hackers themselves stored the records on a cloud server in an unsecured manner. Whether through sheer carelessness or intent, the end effect was the same. Anyone who happens upon that cloud storage would have unrestricted access to the stolen Spotify user accounts. Fortunately, security researchers Ran Locar and Noam Rotem were one of those but it's unknown if there were others who discovered the situation before they did.

The hackers, who may have disappeared in embarrassment, weren't exactly forthcoming with their intentions for the pilfered data. At most, it could be used to game Spotify's ranking system or "rent" accounts for a price. Spotify already forced affected users to reset their passwords, so that treasure trove may have now become trash. Unfortunately, that might not be the end of the story yet.

Presuming other hackers noticed the exposed stolen credentials, that data might still be floating around, ready for use elsewhere. And since recycled passwords were to blame in the first place, that data can also be reused by more ingenious hackers than these.