350,000 Spotify Users Singing The Blues As Victims Hit With ATO Fraud
By: Jim Stickley and Tina Davis
January 5, 2021
Many music lovers who use Spotify streaming-music service recently found themselves victims of account takeover (ATO) fraud. The company claims up to 350,000 Spotify fans were hit with ATO fraud after a data breach compromised their personally identifiable information (PII). However, no one can place the blame on Spotify for the breach. The fault lies with their third-party data storage service and a very avoidable data leak. Regardless of who’s to blame, the end result is that up to 350,000 users are facing ATO fraud as a result of the breach. Many victims are finding themselves in a living nightmare of financial and identity fraud that these attacks create. So, if you haven’t changed your Spotify credentials yet, right now is a great time to do it.
ATO fraud have been growing in size and scope, up 72%, in 2020. In this scenario, when an attacker gains entrance to a Spotify account, stolen login credentials are then “credential stuffed” with other accounts a victim has. With automated help from bots, bad actor’s take compromised login credentials and try them on other accounts the victim has, hoping to get a match – and they usually do.
The breached database exposed Spotify’s user data including passwords, usernames, email addresses, and country where they reside. Bad enough on its own, ATO fraud may just be the beginning of further damage. Attackers can use the leaked PII to make a data breach even worse. With that PII, they can find users on social media and defraud them through online scams. Even though Spotify used a forced password reset for those affected, experts agree that those victims are at continued risk of being hacked on other sites and services.
Consider using a password manager for password and account security if you just can’t remember all of them. And with the average person having 130 online accounts, it’s understandable. Just remember to closely guard your master password. It’s also important to use identity authentication tools when available. Using 2FA (two-factor-authentication) or multi-factor authentication (MFA) gives your PII at least one additional layer of security when logging in. Whether your data was compromised in the Spotify breach or not, you can be sure other breaches will happen. Users can learn from this unfortunate event and choose to be cyber-smart. Take every opportunity to bolster your login data and identity authentication whenever possible.
Cybersecurity experts find other factors helped make the Spotify breach and the resulting ATO fraud even worse. One huge factor is poor password use and then compounding it with reuse for other accounts. Research shows 65% of people reuse the same password for multiple, or all accounts. Even though 91% know the risks, 59% admit they do it anyway. Poor password hygiene helps further the damage that ATO fraud and other hacks and scams can do. Once a victim’s PII is exposed, bad actors abuse it for personal gain any way they can. If nothing else, this breach illustrates the importance of choosing unique and strong passwords for all accounts.