In November 2020, security researchers at vpnMentor discovered an unsecured Elasticsearch database containing approximately 380 million records including usernames, passwords, and email addresses that were being used in credential stuffing attacks against Spotify. Spotify confirmed to vpnMentor that it had initiated a password reset for affected users and had worked with the researchers to take down the database (which was hosted by a third party running the credential stuffing operation). Spotify stated the credentials were not obtained from Spotify’s own systems but from prior unrelated breaches — the classic credential stuffing scenario where attackers rely on password reuse. Spotify issued password resets to approximately 350,000 accounts that were identified as having been successfully accessed via the attack. The company filed suit against the unidentified operators of the database. The incident occurred during a period of heightened credential stuffing activity across many platforms (2020 also saw similar attacks against Nintendo, Zoom, and others) driven by the massive accumulation of breached credential databases available on underground markets.