Task 1 of 7

No Rate Limiting. 150 Million Spotify Accounts Targeted in One Night.

In 2020, a credential stuffing attack hit Spotify. Attackers had a database of 380 million username and password pairs from previous breaches across other sites. They wrote a script to try each one against Spotify's login endpoint — automatically, thousands of requests per second. Because Spotify had no effective rate limiting on their API at the time, the script ran unhindered all night.

By morning, over 300,000 accounts had been successfully taken over. Users woke up to find their playlists deleted, their email changed, and their subscription being used from a different country. The attackers did not hack Spotify at all — they just tried passwords that worked somewhere else.

HOW THE ATTACK WORKED — STEP BY STEP
Step 1 Attacker buys a database of 380M leaked credentials from dark web markets. Cost: a few hundred dollars.
Step 2 Writes a script that loops through the list and sends login requests to Spotify's API.
Step 3 Spotify's API has no rate limiting. The script runs at full speed — thousands of attempts per minute.
Step 4 65% of people reuse passwords. Many credentials from other breaches work on Spotify too.
Step 5 300,000+ successful logins. Attacker changes emails/passwords, sells accounts, or uses them for free premium.

This is exactly what you will do in the Chirper lab — write a loop, try passwords, find the one that works. The only difference is you have permission to do it there.

But Yahoo is just the most visible example of a systemic problem. Authentication failures — weak passwords, no rate limiting, poor session management — are behind the majority of account takeovers that happen every single day.

THE SCALE OF THE PROBLEM
24 billion
Stolen username/password pairs available on dark web markets as of 2022 (SpyCloud report)
15 billion
Unique credentials for sale — more than 2x the world's internet users
81%
Of data breaches involve stolen or weak credentials (Verizon DBIR)
65%
Of people reuse passwords across multiple sites — one breach unlocks many accounts
0.5 seconds
Time for a modern computer to try every possible 6-character password
$6.94M
Average cost of a credential-based breach (IBM Cost of a Data Breach 2023)

How attackers get in without hacking

Most account takeovers do not involve a sophisticated attack. They follow one of three simple paths:

Credential stuffing Buy leaked username/password pairs from old breaches. Try them on the target site. 65% of people reuse passwords — many will work.
Password spraying Try one common password (like "Summer2024!") against thousands of accounts. Avoids lockouts. At least a few will match.
Brute force If there's no rate limiting or lockout, try every password until one works. A 4-digit PIN has only 10,000 combinations.
1

An attacker uses leaked passwords from the LinkedIn breach to log into Netflix accounts. What is this called?

2

What percentage of data breaches involve stolen or weak credentials according to the Verizon DBIR?

Answer all 2 questions to continue