The most likely scenario is that users of Spotify re-used their passwords from other websites, and that’s where they were first stolen. Update: The Spotify issue is likely due to the service’s lack of two-factor authentication, we’ve learned. More to come, as information becomes available. Typically, a hacker would want to simply collect then re-sell the credentials, which makes this particular incident odd. It’s unclear why the unknown third-parties responsible for this incident would want to actually use the Spotify user log ins to play music – especially as that alerts the users to the breach. Unfortunately, because people often re-use their passwords on other sites, several reported their other accounts have been hacked into as well, including their Facebook, Uber, Skype and even their bank account. “They’ve not been helpful, and I’ve only succeeded in getting my account locked so far.”īecause of Spotify’s delay in resetting users’ passwords, many of the victims told us they’ve had problems that extend beyond the streaming service. “I had to reach out to Spotify first, and it’s still ongoing,” a third said. “…The person was able to change my email address without a second verification, and now I’m jumping through hoops to close my account,” another told us. Others are still in the process of trying to prove to Spotify they are the legitimate account owner. The unknown party reset their email address, deleted a playlist, saved music to their device, and started following a new playlist. “I noticed it last night when I opened Spotify on my phone and saw someone was using my account somewhere else.” “…I was definitely hacked and later tried googling ‘Spotify hack news’ last night to no avail,” one victim told us.
SPOTIFY SENTRY MBA CONFIG PASSWORD
A couple said they received the email notification that their password had been reset on Sunday. Some of the victims are only now dealing with the fallout. (TechCrunch is declining to link to the Pastebin page to protect the victims.) When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords.īut it could be that Spotify is still in the process of verifying the account credentials, which takes time.Īccording to many of the users we spoke to so far, this issue occurred last week. We monitor Pastebin and other sites regularly. “Spotify has not been hacked and our user records are secure. This seems to contradict the statement a Spotify spokesperson provided us today when asked about this possible breach: In none of the reported cases so far did Spotify reach out to the victims immediately following the breach, nor were their passwords proactively reset for them on their behalf by Spotify. To resolve the matter, users said they’ve had to work with Spotify customer service to get their account access restored.
When trying to log back in, these users found that their account email had been changed to a new email address not belonging to them. Several others said they were kicked out of Spotify – one even in the middle of streaming music. “I suspected my account had been hacked last week as I saw ‘recently played’ songs that I’d never listened to, so I changed my password and logged out of all devices,” the victim, who preferred to remain anonymous, told us. They became aware of the breach in a number of ways – for example, one said he found songs added to his saved songs list that he hadn’t added.Īnother also found his account had been used by an unknown third party. So far, over a half-dozen have responded, confirming that they did experience a Spotify account breach recently. And only one of the accounts we tried actually permitted a log in, which also left room for doubt about the recency of this particular incident.īut the victims we reached out to told us otherwise. It could have been that a list of previously compromised accounts is still circulating. Spotify has dealt with security incidents in the past, so one can’t immediately assume that a list of emails like this is related to a new data breach.