Photo Credit: Unsplash
Is your Spotify account hacked, playing music in another language or on other devices? You’re not alone.
Since 2017, reports of Spotify accounts being hacked have risen. The phrase ‘Spotify hack’ makes readers think Spotify is part of some data breach, similar to Equifax. The reality is that these accounts holders have either shared their account info with other users willingly – or re-used their passwords carelessly and found their accounts compromised as a result.
Here’s how users typically end up with a ‘hacked’ Spotify account.
“Oh wow, Spotify is offering a three-month free trial,” you notice, scrolling through your Facebook feed. You click through the ad and sign-up using your Facebook account, re-using a familiar password. Six months from now, you notice smooth jazz playing in the evenings when you prefer sad trap mixes. Wtf?
You quickly check your Spotify account device history. Lo and behold – some ‘hacker’ is now listening to Miles Davis on his Amazon Echo. “I don’t even own an Amazon Echo,” you think. Someone hacked my Spotify account becomes the logical conclusion for many.
Let me stop you right there, though. The reality is that a re-used password got leaked on a site like Pastebin. People are constantly monitoring these sites for email/password combination dumps in plaintext. Spotify knows that – they’ve periodically reset passwords citing ‘suspicious activity.’
This Spotify dump matches emails with leaked passwords and shows their Spotify account level.
To get technical, this is called a credential stuffing attack. It takes a known email and password combination and tries it on popular services to check for password re-use.
This is the number one reason why you should never re-use your passwords. Several large sites like LinkedIn, Adobe, and Yahoo have suffered significant data breaches. Re-using the same password for Spotify leaves users vulnerable to credential stuffers. These credential leaks are incredibly common and are effective because password re-use is so prevalent.
Since 2019, the website Have I Been Pwned has monitored over 20 pastes that include Spotify user data. Pastebin removes these pretty quickly, but Spotify hackers have tools that run through these pastes at the speed of light.
Snagging a successful email/password paste can net hundreds of live premium accounts. These accounts are then sold on dark web forums for as little as $0.21 per account.
Spotify deserves some of the blame for this – the service does not support two-factor authentication. Two-factor authentication (2FA) would prevent someone from connecting to a Spotify account without explicit permission from the owner. Until Spotify offers 2FA, it is up to users to protect themselves.
How to Secure Spotify Account After a Breach
If you’ve experienced weird music showing up on your device, you may have a breach. Here’s how you can protect yourself and remove the ‘hacker’ from accessing your Spotify account.
- Change your Spotify password to something unique. (Use a password manager, every single site needs a unique password to prevent credential stuffing attacks.)
- Open your Spotify account page and choose ‘logout everywhere.’ (Note: Spotify says this will not affect partner devices like Sonos or PlayStation. You’ll need to follow those device manufacturer’s instructions to logout.)
- Login to Spotify with your new password AND NEVER USE IT ANYWHERE ELSE.
Hacked Spotify Accounts Hurt The Music Industry
The algorithm-driven future of the music industry is ripe for exploitation. Rapper French Montana was recently busted buying fake Spotify streams to promote one of his songs. Spotify botters may buy up those cheap Spotify premium email and password combos sold on the dark web. Those accounts’ listening habits seem organic since they are still active and contain the original owner’s preferences.
That makes these paid streams are harder to spot for Spotify vs. new account play spam. French Montana’s exploit fell through because he only bought streams on Spotify, making the deception easy to spot. But such deception and algorithm gaming is exactly why people like Neil Young hate music streaming in the first place.
What about streaming counts ?
and songs ownerships ?
and real artists ?
Some artists use download gates to give away free music, and in return they ask for a spotify follow. Those third-party websites can access the spotify api, but they’re not as secure.
On twitter/soundcloud/youtube/facebook/ you can easily de-authorize third-party apps access.
I’ve gotten two different emails about my Spotify account being hacked. I clicked the link and game them my credit card information, social security number and birthdate to verify it and they said it would be fixed. Wait, now that I think about it I don’t have a Spotify account. Oh well, must just be a slight confusion.
One of the largest online streaming music companies on the planet, still not providing the bare minimum of security. Unbelievable and lazy. If their excuse is that it is too complex to enable as Spotify runs on so many platforms, then they should at least provide it as an option. It should be a pre-requisite that if a company holds your financial information they should have to provide 2FA.
This happened to me today and the support for hacking wasn’t good enough on Spotify and didnt want to let have a benefit of my account to fucking cyber criminal so just asked to close my account instead of bothering myself to get back my account. No worth it. It is not safe anymore and spotify lost trust on me. So dumb.
No two step verification what is this the dark ages. This company employs idiots and losers!!!!!!!!!!!!