Researchers have discovered hundreds of thousands of stolen Spotify passwords in an unsecured database accessible to anyone on the Internet. The credentials had been stolen from other websites and then used to log in to Spotify accounts of users who reuse their passwords.
The total 72 gigabyte Elasticsearch database contained more than 380 million records.
These records include: email addresses, usernames, passwords and the location of the users.
Elasticsearch is search engine software for indexing all kinds of information. This is used for searching websites, documents and applications, but can also be used for analytics, monitoring and data analysis.
In this case, the database belonged to a fraudster who verified through a credential stuffing attack that the stolen passwords also worked at Spotify. Credential stuffing uses previously leaked email addresses and passwords to gain automated access to accounts.
Attackers are looking to see if they can also log in to website B with login details stolen from website A.
If you want to prevent your passwords being on the dark web, please check out our password manager service.