Security researchers have helped Spotify tackle a potentially serious credential stuffing campaign after spotting an unsecured cloud database containing hundreds of millions of user records.

The team at vpnMentor found the database, hosted on a completely unsecured Elasticsearch server, back on July 3.

The 72GB data trove contained over 380 million records, including email addresses, countries of residence, and usernames and passwords for Spotify users. It claimed that around 300,000-350,000 users were affected.

Spotify responded to vpnMentor’s outreach immediately, on July 9.

“The exposed database belonged to a third party that was using it to store Spotify login credentials. These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify,” vpnMentor noted.

“In response to our inquiry, Spotify initiated a ‘rolling reset’ of passwords for all users affected. As a result, the information on the database would be voided and become useless.”

As well as use the breached credentials to target other sites in credential stuffing campaigns, any malicious actors that discovered the database could have sought to sell Spotify premium account access, or launch follow-on phishing and identity theft attempts using these details and user emails.

“Credentials are a particular area in which users are left exposed because they either choose weak passwords or reuse them across different sites,” argued Javvad Malik, security awareness advocate at KnowBe4.

“It is why it is important that users understand the importance of choosing unique and strong passwords across their accounts and where available enable and use MFA. That way, even if an account is compromised, it is not possible for attackers to use those credentials to breach other accounts.”