This blog was written by Bruce Snell.
One of my favorite scenes in The Avengers is when Captain America tells Bruce Banner that he needs to get angry and Banner replies, “That’s my secret Cap, I’m always angry.” That’s a lot like information security; websites are always under attack. Today there were two account lists posted online that we think you should know about, Spotify and Minecraft.
It’s a great time for music fans (myself included) with access to so many great streaming services. Of course the popularity of these services also make them a big target for cybercriminals, with lifetime account access being sold on many Dark Web websites for relatively low prices
A list containing hundreds of Spotify account credentials was posted online April 23rd. This list includes email addresses, usernames, passwords, account type (personal, family, etc.) and other details. According to a statement given to Billboard, Spotify said that it has “not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords.”
However, many users have reported on social media that they have seen indicators of their account being compromised.
What led people to think they have been hacked?
- Songs in the “recently played” list that they didn’t play themselves
- Kicked out of Spotify while listening
- When logging in, they found their account email changed to a new email address that did not belong to them
- Received an email indicating their email address has been changed
While the official word from Spotify is that there has not been a breach, if you are using a username and password (as opposed to logging in with Facebook) you should immediately change your password.
A confirmed breach that hit the news this week involves the insanely popular game, Minecraft. If you’re not familiar with Minecraft, it is an open-world game that allows people to build complete worlds from the ground up and share them with others.
Minecraft can be played on many different platforms, including smartphones and tablets. While it is possible to run your own Minecraft server, many people join a community that provides access to shared servers for players. One such community, known as Lifeboat, had more than 7 million accounts compromised in a single breach. According to the website “Have I Been Pwned”, this breach represent the 8th highest volume of accounts compromised since the site was created.
Minecraft is especially popular with kids (my nephews are Minecraft fanatics!), so parents should pay attention to this breach and encourage their children to change their password.
How do I know if my account has been compromised?
When breaches like these happen, it’s common for the lists to be published on the Internet to sites like Pastebin. When these lists show up, sites like Have I Been Pwned will let you search to see if your email address has shown up in any lists of compromised accounts. There are a couple caveats that go along with this. If you go to a site that claims to let you search to see if your password has been compromised, do not enter your passwords. It is most likely an attempt to farm passwords. Additionally, the lists that are posted online are sometimes just a sample of the entire list. This is a way for cybercriminals reselling lists of credentials to show potential buyers that there is legitimate account information included. So just because your email address doesn’t show up, you should still change your password.
What do I do if my account has been compromised?
- Log out from all your devices: With services like Spotify (or Netflix, Hulu, etc.) that allow you to log in on multiple devices, someone could potentially log in with a compromised account and then remain logged in after you have changed the password. To avoid this, most services give you the option to log out of all devices. For Spotify, you first click on the “Account” option in the top right corner of the desktop app.
This will open a browser that takes you to your account info. Scroll all the way to the bottom and click “SIGN OUT EVERYWHERE”
- Change your password: if you have an account with Spotify or Lifeboat, you need to change your password to a unique and complex password. I know it may seem like a hassle to maintain a list of passwords, but there are many password management tools available. McAfee has a tool called True Key that can help create and manage unique and complex passwords.
- Look for alternate login options: Spotify has the option to use Facebook authentication for login. This method transfers an authentication token from Facebook to Spotify, so no password is stored with Spotify.
Passwords are a huge component of our digital lives and are not going away anytime soon. In the security industry, we regularly see poor password choices being used to secure extremely sensitive information. To get people thinking about improving their online security, McAfee is spearheading World Password Day, an educational campaign to show consumers how to secure their digital lives. This year, World Password Day will be celebrated on May 5th.
Want to get involved? Here’s how you can participate:
- Have a password horror story? Visit @McAfee_Home to learn more about our #PasswordConfession contest and enter for a chance to win a prize
- Join our #PasswordDay Twitter chat about Multi-Factor Authentication on May 5th at 3PM EDT/noon PDT. Use #ChatSTC to join the conversation