How Login Phishing Attacks Compromise Your Spotify Credentials

Are you getting spammed with tons of login emails for your music streaming service like Spotify? You may be the subject of a phishing attack.

Hackers are constantly trawling the internet for new account dumps to check versus popular websites like Spotify. For example, MGM Resorts experienced a data breach in 2022, resulting in the exposure of 28 million email addresses alongside other personally identifiable information. When data breaches like this hit the web, hackers go to work checking those leaked email addresses and password combos. Let’s explore how one of these phishing attacks may work.

Jane stayed at an MGM Resort in 2020 and her email address jane@janescompany.com was exposed. Now the hacker wants to gain access to Jane’s Spotify or Deezer account associated with that email address. It’s possible by initiating a phishing attack through requesting an email sign-in link. An email arrives in Jane’s inbox like this:

Deezer login phishing
  • Save

Deezer login phishing
  • Save
Photo Credit: Deezer

“I haven’t tried to login to my Deezer account,” Jane thinks to herself, and she clicks the pink ‘log in now’ button. Jane has just given her attacker access to her Deezer account. These phishing emails are legitimate password reset and login links initiated by the attacker, rather than Jane herself. Another clue in the email address is the login location, which happened at 8:56 pm in Asia/Shanghai. Jane is from California and has never visited Asia.

How to Avoid Login Phishing Attacks – Spotify, Deezer, Apple Music & More

You can avoid these phishing attacks by never clicking a link that arrives in your email inbox unless you requested it. If Jane had simply deleted the email instead of clicking the login button, the attack would have been thwarted. The attacker is counting on you clicking the link so they can have access to the account.

  1. Use a unique password you’ve never used before.
  2. Never re-use your music streaming password anywhere.
  3. Don’t use Facebook, Google, etc. to log in. Instead, use your email address.
  4. Enable 2FA on your email address. Spotify does not support 2FA.

There have been numerous reports of Spotify login phishing attacks dating back to 2011. Some accounts are seeing upwards of 30+ phishing emails a day from locations like Germany, the UK, The Netherlands, Asia, and more.