Full Report
Spotify has suffered its third data breach in the space of a few weeks.
Analysis Summary
# Incident Report: Multiple Credential-Based Compromises at Spotify (Late 2020)
## Executive Summary
Spotify experienced three separate data-related security incidents in late 2020, culminating in a public disclosure concerning the inadvertent exposure of user account registration information to certain business partners. The initial incident involved a large-scale credential stuffing attack compromising 350,000 user accounts. Subsequently, an unauthorized actor gained control of celebrity Spotify pages to post unauthorized political and personal messages. The regulatory response focused on ensuring business partners deleted inadvertently exposed user data.
## Incident Details
- **Discovery Date:** Late November 2020 (for the first incident, subsequent events followed shortly after)
- **Incident Date:** Late November to December 2020
- **Affected Organization:** Spotify Technology S.A.
- **Sector:** Media/Streaming Services
- **Geography:** International (Domestically domiciled in Luxembourg, Headquartered in Stockholm, Sweden)
## Timeline of Events
### Initial Access
- **Date/Time:** Late November 2020 (First incident)
- **Vector:** Credential Stuffing Attack
- **Details:** Threat actors utilized credentials exposed in previous, unrelated data breaches to gain unauthorized access to up to 350,000 user accounts on Spotify.
### Lateral Movement
- Not explicitly detailed for the credential stuffing, but the second event involved an attacker compromising several celebrity Spotify pages, suggesting the attacker utilized compromised credentials to take control of specific accounts.
### Data Exfiltration/Impact
- **First Incident:** Compromise of up to 350,000 user accounts (credential stuffing).
- **Second Incident:** Unauthorized modification of celebrity artist pages (profile images changed, messages posted referencing "Trump 2020" and Snapchat handles).
- **Third Incident (Disclosure):** Account registration information of users was inadvertently disclosed to some of Spotify’s business partners.
### Detection & Response
- **Detection (Credential Stuffing):** The final disclosure suggests detection occurred after the exposure to partners, prompting an internal investigation.
- **Response Actions (Partner Disclosure):** Spotify conducted an internal investigation and contacted all affected business partners, requesting immediate deletion of any inadvertently disclosed personal information.
## Attack Methodology
- **Initial Access:** Credential Stuffing (using previously compromised credentials from other services) and unauthorized access to specific authenticated accounts (celebrity pages).
- **Persistence:** Not explicitly detailed, but necessary for the page takeovers.
- **Privilege Escalation:** Not detailed; likely relied on leveraging weak/reused passwords for session takeover.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Exploitation of credentials recycled from *other* breaches.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Access to account registration information for some users via partners.
- **Exfiltration:** Not detailed for the credential stuffing, but data was 'disclosed' to partners in the third event.
- **Impact:** Account compromise and unauthorized content posting; unintentional data exposure to third parties.
## Impact Assessment
- **Financial:** Not quantified in the report.
- **Data Breach:** Account registration information exposed to business partners. Up to 350,000 accounts compromised in the initial credential stuffing attack.
- **Operational:** Temporary disruption/defacement of several high-profile artist pages.
- **Reputational:** Public scrutiny following the third breach disclosure in a short period.
## Indicators of Compromise
*Defanged indicators are simulated as the article does not provide threat intelligence artifacts.*
- **Network indicators:** None provided.
- **File indicators:** None provided.
- **Behavioral indicators:** Unusual login activity on 350,000 accounts; unauthorized API calls/updates to verified artist profile metadata.
## Response Actions
- **Containment:** Internal investigation launched following disclosure/realization of partner exposure.
- **Eradication:** Contacting business partners to ensure immediate deletion of inadvertently disclosed personal data.
- **Recovery:** Restoring compromised celebrity pages to original state.
## Lessons Learned
- The heavy reliance on user password reuse made a large segment of the user base vulnerable to external breaches (credential stuffing).
- Security posture around data sharing and access controls with third-party business partners requires robust auditing to prevent inadvertent data disclosure.
## Recommendations
- Strongly encourage or enforce Multi-Factor Authentication (MFA) for all user accounts to neutralize credential stuffing threats.
- Review and audit data access policies and data retention schedules strictly with all business partners who receive user data.
- Enhance real-time anomaly detection to spot high volumes of initial login failures characteristic of credential stuffing attacks.