The importance of choosing strong and unique passwords for every account you create has been highlighted by a recent data breach at the music streaming service Spotify. Security researchers identified a database that had been exposed on the Internet which contained the usernames and password combinations of around 300 million individuals. It is unclear where the database came from, although it is likely that it had been amalgamated from data leaks from several major data breaches of online platforms.
Interestingly, within the 300 million-record database was a field stating whether the username/password could be successfully used to login to a Spotify account. According to the researchers, an estimated 300,000 to 350,000 Spotify accounts had been breached.
This breach clearly demonstrates how a data breach at one company can provide the usernames and passwords to gain access to accounts at another. When a username/password is obtained in a cyberattack, it can be used to try to access other accounts that share the same username. A username is often an email address. People may have more than one email address, but there is usually one that is used across most platforms. There is nothing wrong with that of course, but there is a problem with using the same password with that email address on multiple online platforms.
If there is a breach at one platform, the password can be used to access many other accounts. In this example, up to 350,000 Spotify users had reused their password on more than one platform. The Spotify breach victims may well have had several other accounts breached if they used their password on other platforms too.
The credentials to the breached Spotify accounts could easily be sold to anyone who wanted a cheap Premium Spotify account. There have been many reports of passwords being changed to block the real account holder out of their account. The accounts also contain personal information that could be used in further attacks, such as to make convincing phishing emails to obtain the information necessary for identity theft and other types of fraud.
Trying 300 million username and password combinations is a time-consuming process, but that process is automated. An army of bots will work its way through a huge list of username/password combos to see which passwords work. Hackers can also include a list of commonly used passwords against a particular username which will increase the hit rate further. Many people choose easy to remember passwords for their accounts, which are also easy to guess.
The process of trying multiple passwords against a username is called credential stuffing, and it is an effective way of breaching accounts. Recently there have been a swathe of credential stuffing attacks on companies in the retail, travel, and hospitality sectors. One report indicates that out of the 100 billion credential stuffing attacks between July 1, 2018 and June 30, 2020, 64% were on companies in those sectors.
Successful data breaches can result in the theft of hundreds of millions of usernames and password combos. Those credentials could be used on a wide range of different accounts, and since many people reuse passwords from personal accounts for their work accounts – such as Office 365 – one set of Spotify credentials could easily lead to a business Office 365 breach. An Office 365 account is all that is needed to launch further attacks on the company and achieve a more widespread and harmful data breach.
The solution to protecting against credential stuffing attacks is simple. Use a unique, strong password on every different account and use a password manager so you do not have to remember all of those passwords. Just set a very strong password for your password manager, and that means you just have one password to remember.
Businesses also need to take steps to block these attacks and prevent compromised credentials being used to access employee accounts. Multi-factor authentication is a must to block attempts to use stolen credentials to access accounts. Breaching Spotify accounts was easier than on other platforms as Spotify does not yet support multi-factor authentication.
An email security solution such as SpamTitan Cloud is also important for protecting against the email vector in the attacks on businesses. SpamTitan Cloud blocks malicious messages such as phishing attempts and, through outbound email scanning, will help you prevent any compromised mailboxes from being used in more extensive attacks on your organization.