Hundreds of Spotify credentials appear online

kev216

Level 21
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 6, 2014
1,044
A list containing hundreds of Spotify account credentials – including emails, usernames, passwords, account type and other details – has popped up on the website Pastebin, in what appears to be a possible security breach. After reaching out to a random sampling of the victims via email, we’ve confirmed that these users’ Spotify accounts were compromised only days ago. However, Spotify says that it “has not been hacked” and its “user records are secure.”

It’s unclear, then, where these particular account details were acquired, given that they are specific to Spotify, rather than a set of generic credentials that just happen to work on Spotify.

In addition to the email and login information, the Pastebin post also details the type of account (e.g. family, premium), when the subscription auto-renews, and the country where the account was created. The list of accounts is not limited to the U.S., but includes a number of users from all over the world.

Spotify has dealt with security incidents in the past, so one can’t immediately assume that a list of emails like this is related to a new data breach. It could have been that a list of previously compromised accounts is still circulating. And only one of the accounts we tried actually permitted a log in, which also left room for doubt about the recency of this particular incident.

But the victims we reached out to told us otherwise.

So far, over a half-dozen have responded, confirming that they did experience a Spotify account breach recently. They became aware of the breach in a number of ways – for example, one said he found songs added to his saved songs list that he hadn’t added.

Another also found his account had been used by an unknown third party.

“I suspected my account had been hacked last week as I saw ‘recently played’ songs that I’d never listened to, so I changed my password and logged out of all devices,” the victim, who preferred to remain anonymous, told us.

Several others said they were kicked out of Spotify – one even in the middle of streaming music.

When trying to log back in, these users found that their account email had been changed to a new email address not belonging to them.

To resolve the matter, users said they’ve had to work with Spotify customer service to get their account access restored.

In none of the reported cases so far did Spotify reach out to the victims immediately following the breach, nor were their passwords proactively reset for them on their behalf by Spotify.

This seems to contradict the statement a Spotify spokesperson provided us today when asked about this possible breach: “Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords."

But it could be that Spotify is still in the process of verifying the account credentials, which takes time.

According to many of the users we spoke to so far, this issue occurred last week. The Pastebin is dated April 23, however. (TechCrunch is declining to link to the Pastebin page to protect the victims.)

Some of the victims are only now dealing with the fallout. A couple said they received the email notification that their password had been reset on Sunday.

“…I was definitely hacked and later tried googling ‘Spotify hack news’ last night to no avail,” one victim told us. “I noticed it last night when I opened Spotify on my phone and saw someone was using my account somewhere else.”

The unknown party reset their email address, deleted a playlist, saved music to their device, and started following a new playlist.

Others are still in the process of trying to prove to Spotify they are the legitimate account owner.

“…The person was able to change my email address without a second verification, and now I’m jumping through hoops to close my account,” another told us.

“I had to reach out to Spotify first, and it’s still ongoing,” a third said. “They’ve not been helpful, and I’ve only succeeded in getting my account locked so far.”

Because of Spotify’s delay in resetting users’ passwords, many of the victims told us they’ve had problems that extend beyond the streaming service.

Unfortunately, because people often re-use their passwords on other sites, several reported their other accounts have been hacked into as well, including their Facebook, Uber, Skype and even their bank account.

It’s unclear why the unknown third-parties responsible for this incident would want to actuallyuse the Spotify user log ins to play music – especially as that alerts the users to the breach. Typically, a hacker would want to simply collect then re-sell the credentials, which makes this particular incident odd.
 

OokamiCreed

Level 18
Verified
Honorary Member
Top Poster
Well-known
May 8, 2015
881
Sometimes I think that a service has not been hacked, but rather a phishing campaign is underway or some other such event. You'd imagine if a service has had a breach that a higher number of accounts may be compromised but there are clearly some technicalities to the IT world. One such thing is if a breach had occurred but was closed before further accounts could have had their credentials downloaded, relocated (or other such term you'd use here).

While I do not have a very good opinion of Spotify, I use it often in tandem with Adguard (which can block audio, flash/picture, and video ads simply with filtering Spotify.exe). I plan to move to Groove subscription or Deezer when it is released to the US. Groove being useful so I can listen to music on my Xbox while not having to rely on my own local collection.
 

Mineria

Level 3
Verified
Mar 19, 2016
128
I plan to move to Groove subscription or Deezer when it is released to the US. Groove being useful so I can listen to music on my Xbox while not having to rely on my own local collection.
I never used anything but Zune/Groove, since it works between my WindowsPhone, Xbox and PC's, only thing that annoyed me was when the first versions of Groove where released, it bugged with music purchased from the store with file location and duplicates of songs when OneDrive was used to store albums.
Besides that MS also lacked contracts with some record labels, but seems they got most of them now.
 
  • Like
Reactions: OokamiCreed

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
These security breach likely covers on minor areas, where even though the site or its operation is actively secure; however holes are present that found to have weakest point for Spotify and other services.

Hence the number one main source can be phishing all around.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top