The bigger you are as a digital service of any kind – from banking and shopping to social networking – the more hackers there’ll be poking at your security, as well as your customers. Spotify is no different: security-focused news site Threatpost has details of a new phishing scam that’s targeting the streaming service’s listeners. It takes the tried-and-tested form of emails that seem to come from Spotify itself, asking users to “confirm your account” by logging in to a website using their Spotify ID and password.
“Knowing just one password for a victim opens the door to a multitude of attack vectors,” said David Pickett of research firm AppRiver, which first discovered the new phishing campaign. “Knowing how someone creates a password offers a personal glimpse into their password creation mindset and probability of overall attack success. This also gives an opportunity for social engineering using the same information which is important to the victim.”
In Spotify’s case, people’s playlists and even their username can give clues about their habits that may be useful to attackers (“For instance, the use of a term like Fluffy84 might tell an attacker that the victim loves their cat, and was potentially born in 1984 — along with the format they might use to create other passwords”).