Data Backup Digest

Hackers don't always use sophisticated tactics or next-gen technology to break into the accounts of their victims. In some cases, all it takes is a little bit of guesswork. It's a technique known as "credential stuffing," and it's becoming more commonplace than you might realize.

What is Credential Stuffing?

Credential stuffing was used in a recent scenario involving approximately 350,000 user accounts from the Spotify. Renowned for its music streaming services, Spotify is a premium app that lets paying users access songs from countless musicians and artists around the world. Unfortunately, it seems that many of their paying users are simply reusing the same passwords they've used elsewhere.

It's hard to blame them. With so many different sites today, most of which require login credentials at some level, most users just take the easiest route ahead of them. However, this is never the best course of action.

Experts can't say for certain how the hackers originally got a hold of these login credentials. It's unclear if they uncovered them on through their own, nefarious means, or if they simply compiled known credentials from other sites that they've used previously.

In either case, the hackers weren't exactly a gang of masterminds. In an ironic twist of fate, they actually posted the entire list of verified credentials on an unsecured cloud database. As a result, anyone with a modern web browser could have accessed these records on their own.

However, it's still not clear if that happened at all. It's very possible that nobody noticed the unsecured database. After all, they'd have to know exactly where to look – and they would have had to look within a very short timeframe.

Regardless, the damage was definitely kept at a minimum. The dev team with Spotify was able to move swiftly to rectify the situation, and they immediately sent password reset emails to the affected customers.
Spotify has even taken it one step further by adding a helpful list of hints and tips that are meant to help users secure their accounts, including:

- Using a long password that contains a combination of letters, numbers, and special characters.

- Using a different password for each online service you use. This is so that, if one service does become compromised, all your other service accounts aren’t at risk as well.

- Changing your password frequently.

The Problem is More Common Than You Think

Unfortunately, the problem of reusing passwords is far more common than you think. A recent Google survey revealed that at least 65% of users reuse their passwords across multiple sites. In another, separate survey, 91% of the survey's respondents reported knowing the risks involved with reusing passwords – but 59% of those respondents do it anyway.

The problem seems to be extremely common amongst millennials, too, with approximately 76% of millennials reporting that they commonly reuse passwords. In yet another alarming statistic, those who reuse their passwords usually use it on an average of 14 different websites. As you might expect, practices like this are just making it easier for hackers to uncover and reuse your login credentials.