It is a real war chest that the cybersecurity researchers Noam Rotem and Ran Locar stumbled upon by "scanning" the Internet last summer for poorly secured servers.
Hackers had stored their gargantuan 72 GB database, or 380 million documents, online.
Poorly protected from the outside world, it contained in particular 400,000 verified accounts of subscribers to the music streaming service Spotify, including 47,456 belonging to French users.
"We quickly established that this was not a leak or hack from Spotify because this database belonged to third parties who had managed to illegally accumulate emails and passwords that gave real access to these free accounts. and premium, ”explains Ran Locar from VPN Mentor's research laboratory, a VPN comparison site.
Passwords already known and recycled
There are thousands of authentication databases available for sale on the Dark Web from different data breaches.
But few include verified accounts and therefore usable by thugs.
In order to obtain these genuine Spotify accounts, the cybercriminals resorted to the dramatically effective and duplicable method of "credential stuffing".
"The hackers take a database of millions of emails and passwords already used that they will refine in order to enhance them", explains Hicham Bouali, cybersecurity expert at One Identity.
"As users very often juggle lazily with the same password for their different online accounts, cybercriminals use Botnets, computer bots, to test thousands of combinations of IDs and passwords on well-known services, ”he continues.
The database hosted the accounts (emails and passwords) of tens of thousands of French / DR subscribers
"Each Botnet is capable of trying up to 300,000 connections per hour to a website or online service so they quickly get access to applications like Uber, Netflix or Spotify," says the expert.
Newsletter - Most of the news
Every morning, the news seen by Le Parisien
I'm registering
Your email address is collected by Le Parisien to enable you to receive our news and commercial offers.
Learn more
Once an account is thus verified, its market value explodes.
A valid subscription can sell for $ 10 each.
In the case of access to Spotify, the 400,000 accounts were therefore worth at least $ 4 million.
But the pirates apparently did not trade it.
A database rendered obsolete
"They seemed to use these accounts to feed a pirate streaming service or to do" streaming boosting ", that is to say artificially inflate the tracks of certain artists" according to the findings of Noam Rotem and Ran Locar.
Informed by researchers last July, Spotify confirmed to us that it had launched a "gradual reset of passwords for all affected users.
As a result, the information contained in the database becomes unnecessary ”.
In case of doubt, the 3 million French subscribers can always update access to their account with a reinforced password.