Israeli researchers have identified: Hackers broke into Spotify to forge wiretapping numbers

The violation was based on the use of a username and password database, with a vast number of Israeli users, to connect to Spotify, mechanically raise the number of listeners and even try to buy a Spotify membership online by ‘riding’ another active customer.

Monday, November 23, 2020, 19:29 GMT

A hack into Spotify has been found by Israeli cyber experts, which aims to link to the popular music site in order to maximize the number of listens for certain songs and to sell login information to different customers.

Hackers Noam Rotem and Ren Lukar, in conjunction with the vpnMentor website analysis team, detected the activity. The researchers working together with Spotify, were able to close the process. It is uncertain the identity of the variables behind the attack.

A complex command and control system (C&C) was at the heart of the operation, which used a database of 380 million usernames and passwords, including many Israeli users, to connect to Spotify. Between 300,000 and 400,000 Spotify users were affected by the attack, according to the researchers. Database documents were not leaked by Spotify itself, but were retrieved from other dumps of information, which were run in front of common service networks by server administrators, aiming to detect login details of users who use the same password for various services.

“The entry point was an open log system that showed actions performed (connecting to an account, checking a password, playing a song, etc.),” Rotem told Calcalist. “From there they left passwords and additional addresses that led to additional servers, so we were exposed to just the entire network (of the hackers) at the administrator level.”

The incident, the researchers emphasize in a post they published, did not start on Spotify. “The disclosed database belongs to a third party who used it to store Spotify login information,” they wrote.

A the beginning of our investigation we contacted Spotify to present them with the initial findings. Together we concluded that the database owner obtained login information from other sites and used them on Spotify accounts. “In the past, in light of the widespread use of weak passwords, companies cannot control it, because they have no way to prevent consumers from reusing passwords in several services simultaneously.”

When the attackers identified login details that matched an active Spotify account, they used them for two main purposes. One: Fraud by the company itself, by creating listens to certain songs, (Spotify pays royalties for each song played on the service, and even though it is a few cents to play in large volumes, this can add up to a significant income). Because anyone could create a “song” and upload it to Spotify, attackers could, in principle, upload ghost songs to the service and then use the hacked accounts to make them listen and rake in handsome royalties.

The second goal: to sell stolen login information to users under the guise of a “lifetime subscription” to Spotify. This is a known scam that many paid services deal with. Hostile entities obtain login information for a service, and then sell it on sites like eBay claiming it is a one-time payment for a lifetime subscription, when in practice a user and password of another user with whom they connect to the service is purchased in order to enjoy the content at his expense. Not infrequently, the original user will find that someone is “riding” on their subscription, has a password changed and the “for life” subscription offered to the buyer will be closed.

Following the request of the Israeli investigators, Spotify forced all users whose details were affected by the operation to reset the password, thus rendering the login details unusable and effectively silencing its activities.

“This is a great example of how a hole in information security can bring down an operation in which quite a few resources have been invested,” Rotem said. “This is true of criminal networks, like the one we saw here, and it is true of governmental and commercial organizations. One small hole can sink an entire ship, and no organization is exempt from maintaining high standards of protection.”