Music streaming titan Spotify has suffered its third data breach in the space of just a few weeks.
Spotify revealed in its official statement, that the account registration information of its users was inadvertently exposed to some of Spotify’s business partners.
The first Spotify breach occurred in late November where up to three hundred and fifty thousand user accounts were compromised after a successful credential stuffing attack.
In a credential stuffing attack, cyber attackers attempt to login into accounts using credentials from different services accessed in historical data breaches. Since users are likely to recycle passwords, a single breach gives threat actors access to a swathe of services.
A week after this event, a cyber attacker calling himself“Daniel” compromised several celebrity Spotify pages, replacing their information with messages for people to follow him on Snapchat, signing off with “Trump 2020.”
Daniel also proclaimed his love for Taylor Swift in his messages and even replaced some artist profile images with those of Taylor Swift.
Users published evidence of compromised artist pages on Twitter.
Because this data breach exposed sensitive information to Spotify’s third-party network, and not cybercriminals, the breached data may not be used for sinister activities.
Let’s hope the recipients comply with Spotify’s earnest request to immediately delete all inadvertently disclosed sensitive data.
“We have conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted.”