If true, how many Spotify accounts did hackers actually manage to steal and post online?
According to a recent post on Reddit, hackers may have leaked thousands of Spotify usernames and passwords online.
Reddit user Keoft first posted about the possible breach based on an e-mail sent from haveibeenpwned.com. The website allows users to check if hackers have compromised their personal data.
“It was posted about an hour ago and I got an email from haveibeenpwned. You can type your spotify email on that site to see if your email and password showed up in that paste, or possibly others. Sure enough my own email and password show up there and now I have to change a ton of passwords on other sites and I’m very angry about it.”
Instead of linking to the Pastebin.com document with the information on compromised accounts, Keoft reported the post. In addition, the user had done a quick Google search to find if any independent media outlets had reported on the breach. Unfortunately, Keoft didn’t find anything, so the user alerted the Reddit community.
Searching on Pastebin, you’ll readily find Spotify usernames and passwords spread across multiple posts in alphabetical order. The most recent document, published two hours ago, shows information on ten separate Spotify accounts. Another post shows password information for Spotify Premium accounts in the US, Australia, and Sweden, among other countries. Pastebin has yet to take down several of these posts.
On Reddit, some users have reported receiving password reset links from Spotify. One wrote that the hack may have happened as early as last week.
“I was wondering if it was just me. I was hacked on the morning of the 22nd. They reset the email and the password. Spotify thankfully helped me recover… The only weird thing about all of this was that the email address used to hack my account had an @spotify.com domain. I searched it everywhere online, but it didn’t come up for anything else. I still haven’t gotten to the bottom of that part.”
Another poster, kumamaru, decided to have fun with people who had accessed their account.
“Hm. I wonder how long ago this actually started cause I remember going on my mobile app and someone was streaming and making a list for themselves. All Spanish music. So I just looked up a playlist called gay music and had a back and forth “play on this device” until they stopped. Then changed my password.”
The full extent of the hack remains unclear. Pastebin appears to have taken down the original post featuring thousands of compromised username and passwords. However, some Spotify accounts, including the country type of paid subscription, are still indexed on the website’s search engine. The hack doesn’t appear to affect users who signed up for Spotify Premium using their Facebook accounts.
Digital Music News has attempted to reach out to Spotify for comment.
Update: Speaking about reports of a possible breach, the streaming music platform issued the following statement.
“Spotify has not experienced a security breach and our user records are secure.”
“We do however pay attention to breaches of other services, and take steps to help our users secure their Spotify accounts when those occur, because many people use the same login and password combination for multiple services. Therefore, we review sites such as Pastebin and others for leaked user credentials which might be used to access Spotify.”
The statement, however, doesn’t address the reports of users reporting unauthorized entry into their accounts, nor the password reset emails received.
Featured image by kalhh (CC0)