Following “Detected Suspicious Activity,” Spotify Resets the Passwords of an “Unspecified” Number of Accounts

Spotify has sent out a new e-mail to users.

An “unspecified” number of users have received notifications the music streaming giant had reset their passwords.

The e-mail told users the company made this change “due to detected suspicious activity.”

Confirming the reports, Peter Collins, a Spotify spokesperson, issued the following statement.

As part of our ongoing maintenance efforts to combat fraudulent activity on our service, we recently shared a communication with select users to reset their passwords as a precaution.

“As a best practice, we strongly recommend users not to use the same credentials across different services to protect themselves.

According to TechCrunch, the e-mails follow a “credential stuffing attack” on the service.  This occurs when hackers find usernames and passwords from other sites (including popular dumping site, Pastebin) and “brute-force” their way into the accounts.

Multiple users admitted to using the same password across different websites.  Others, however, used passwords unique to Spotify.

Speaking about experiencing the same problem two years ago, one user wrote on HackerNews,

I had a similar issue not long ago.  I went in and really changed it into a massive 50 character pw.

“My Spotify account was hijacked in 2017 and managed to get it back – someone from Tunisia – he had the audacity to start creating playlists full of autotune rappers.  I wouldn’t mind sharing, but man, his taste in music was awful.

Stating the service denied any database breaches, another user explained,

Same thing happened to me, right around the same time.  Also, my hijacker shared a similar taste in music to yours!  Spotify denied that they had any database breaches, but I only use that password for Spotify, so I find that highly unlikely.

The forced resets come months after major companies reported similar breaches.

Denying the company was hacked last month, Chipotle spokesperson Laurie Schalow said,

[We’re] monitoring any possible account security issues of which we’re made aware and continue to have no indication of a breach of private data of our customers.”

Following a similar hack late last year, a DoorDash spokesperson denied a data breach had occurred.  Instead, a spokesperson blamed credential stuffing attacks.

We don’t have any information to suggest that DoorDash has suffered a data breach.  To the contrary, based on the information available to us, including internal investigations, we have determined that the fraudulent activity reported by consumers resulted from credential stuffing.



2 Responses

  1. Joey C.

    the Spotify email that told me to change my password looked exactly like a phishing email. The email failed to state my Spotify ID. It was very off-putting.

  2. Wendy Day

    My Door Dash account was hacked last year. I was notified of food ordered to an address in Maryland, however I live in Georgia. I notified Door Dash immediately. They could have cancelled the order. They had the address of the food delivery (therefore most likely the thief). They did nothing. They argued with me about the theft/hacking and finally agreed to refund my money which took months. Door Dash is bullshit.