We're simply seeing the successful result of credential stuffing attacks.
If they had a breach then yes, hashes may be cracked, but that's not what's happening here. Then there's the fact that the password is in plain text and I don't know precisely how Spotify store their passwords, but it'd be a very safe bet that by now it's a decent modern-day hashing algorithm. They may not all be that bad (the next one in the list has only been seen twice), but the point is that it's a password that's clearly been seen before and were I to dig back into the source data, there's a good chance it's been seen in a breach alongside that email address too. Just looking at them, they're obviously terrible, but plugging the first one into Pwned Passwords give you a sense of just how terrible it is: No, and the passwords are the very first thing that starts to give it all away. Let's imagine you're the first person on the list you get a notification from HIBP, you check out the paste and see your Hotmail account listed there alongside your Spotify password and the plan you're subscribed to. Here's a perfect example of what I'm talking about, this one eventually triggering an email to me just last week: When an HIBP subscriber's address appears in one of these incidents, they get an automated notification and often, it seems, they then reach out to me. Very often, those addresses are accompanied by other personal information such as passwords.
Many years ago, I introduced the concept of pastes to HIBP and what they essentially boil down to is monitoring Pastebin and a bunch of other services for when a trove of email addresses is dumped online. Time and time again, I get emails and DMs from people that effectively boil down to this: Hey, that paste that just appeared in Have I Been Pwned is from Spotify, looks like they've had a data breach
0 kommentar(er)
