A security researcher has discovered a hacking tool that groups of hackers are using to compromise Spotify accounts, International Business Times has learned.
The discovery of the tool, made by Collective Labs CEO Ryan Jackson, coincides with a recent increase in reports on social media of Spotify accounts being hacked — though Spotify itself has not suffered a direct security breach, according to the company.
The tool, called “Spotify Cracker v1,” was described by Jackson as a brute force hacking tool that allows hackers to hijack large numbers of Spotify accounts. Jackson shared with IBT a video of the tool in action, in which it appeared to identify several accounts and revealed the passwords in plaintext.
According to Jackson, the Spotify Cracker tool works by plugging in login credentials, which are then used to find a Spotify account associated with the address. The tool can then be used to compromise those accounts, both free and Premium memberships.
Because of the number of breaches that have occurred in the past, there are massive lists of email addresses and passwords associated with those accounts available online. Those logins are bought and sold online and occasionally can be found floating around for free. Since many people use the same password for multiple sites, a breach from one service can result in a person having multiple accounts compromised.
Jackson said he found some emails and passwords in a file on Pastebin——a temporary and anonymous service that allows people to host text for free—and ran those in the tool. He said in about 15 minutes, he was able to crack 100 accounts.
The ability to crack accounts en masse makes Spotify Cracker an imminent threat to Spotify’s more than 140 million active users, including more than 60 million paying subscribers who have credit card or PayPal information associated with their account that could be compromised.
Jackson said he found the tool in a private server on Discord—a popular, free online communications platform used primarily by gamers. The server, accessible by invitation only, is used by hackers to communicate, trade tips, tools and other information. Jackson has spent time with hacking groups including New World Hackers and Lizard Squad—two groups known for large and disruptive, albeit often relatively harmless, cyberattacks.
Those with access to it have been running the tool overnight, allowing it to crack as many as 20,000 accounts at a time, according to Jackson. He said the tool can crack as many as 10 accounts per 1.2 seconds and theorized that “millions of accounts” have already been breached using the tool.
“This tool is being traded and they are re-selling the accounts for less, $1 per account,” Jackson said, noting that the tool has thus far been contained within hacking communities. “It’s just being passed around as of right now.”
When contacted regarding the hacking tool, Spotify told IBT that it had not experienced a data breach but did not address the tool directly. “To be clear, Spotify has not experienced a security breach and our user records are secure,” a spokesperson for the company said.
“We do however pay attention to breaches of other services, and take steps to help our users secure their Spotify accounts when those occur, because many people use the same login and password combination for multiple services,” the spokesperson said. “Therefore, we review sites such as Pastebin and others for leaked user credentials which might be used to access Spotify.”
While Spotify may monitor for leaked credentials, its own lax security protocols enable tools like Spotify Cracker to operate. Currently Spotify allows users to continuously guess their password unencumbered which, while potentially convenient for users who cannot remember their password, leaves accounts vulnerable to brute force attacks.
Without any sort of mechanism to lock a user out of an account after many wrong password attempts and no CAPTCHA in place to increase the burden on login attempts, it is possible for attackers to simply continue guessing passwords until they have successfully cracked an account.
Additionally, the streaming music service has provided users with little to protect themselves with. Spotify doesn’t offer two factor authentication, which would require a secondary code sent to the user’s device be entered upon login attempt. Such an option would give users an additional line of defense against password breaches.
Spotify did not respond when asked if it intended to change any of its login practices or add additional security features for users.
Until additional security protections are provided by Spotify, Jackson advised users to take steps to protect themselves. “Spotify users should change their passwords quite frequently,” he said, and advised to “use different passwords for everything.”
That advice is likely especially pertinent for Spotify users who have been noticing odd activity recently. Just last week, users of the Spotify community on Reddit noted receiving emails from the streaming service regarding unauthorized logins and account activity.
“I was wondering if it was just me. I was hacked on the morning of the 22nd. They reset the email and the password. Spotify thankfully helped me recover,” one user wrote . Another user said they received an email from Spotify alerting them that the email address associated with their account was changed. “So that’s why I can’t login,” the user wrote.