Spotify Security Team Laughing at the Dumbest Hack Ever

Known for posting login accounts, a rogue hacking crew “hacked” Spotify.

As part of its #Lulzcalypse campaign, rogue “hacking” crew SecTeamSix_ allegedly leaked thousands of global Spotify accounts.  The list apparently included Premium accounts. They stated on Twitter,

“We’re thinking it’s time to start a #Lulzcalypse.”

Lulzcalypse refers to a huge amount of leaks done through social media, usually reports, images, and hacked accounts, just for laughs.

SecTeamSix_, or The Leak Boat, posted the “accounts” online on PasteBin.  The site was quickly removed, however.

After careful research, the supposed hack appears to be nothing more than a hoax.  Speaking with the International Business Times, a Spotify spokesperson confirmed that it wasn’t breached and that user accounts are secured.

“We do however pay attention to breaches of other services, and take steps to help our users secure their Spotify accounts when those occur, because many people use the same login and password combination for multiple services.  Therefore, we review sites such as Pastebin and others for leaked user credentials which might be used to access Spotify.

“Having become aware of such a security breach, Spotify’s security team identified that some of the leaked user credentials might correspond to Spotify accounts.  We take a proactive approach to security and have reset all of the relevant passwords and sent the customers an email asking them to create a new one.”

Upon closer inspection, the Spotify “hack” was merely a dump of reused passwords.  Security experts and other hackers spoke with IBT and claimed that list lacked any complexity.  The usernames and passwords also show up in AP/exploit dumps.

  • Save

Security experts warned users, however, that if their username appeared in the lists, they should change their passwords immediately.

The hoax appears to have been made to garner public attention to the group.  On their Twitter page, the supposed hacking crew posts logins for pornography websites and “hacked” images of naked celebrities.  So far, not a single user has validated the group’s supposed hack.

Image by Arkady Gundroff (CC by 2.0)

5 Responses

  1. Marc

    this was not a dump of reused passwords.I was on the list of hacked accounts and it was infact my password.

    nice try on the downplay

    • Suzanne

      Same here. Spotify has such lax security standards, and consistently denies security breaches, that I terminated my account.

  2. Ed

    My account was hacked too. Spotify response was quick and professional. Now I have a new account. Safe… for now.

  3. Suzanne

    Spotify doesn’t even admit it when they have been hacked, customer security is the lowest priority. Certainly lower than their need to appear without flaw. They are the Donald Trump of SaaS Music.