Spotify denies hack; users subjected to weird music beg to differ
Hundreds of Spotify account details have been leaked online, but the Swedish music streamer is telling all to move along, please: nothing to see here and nothing’s been breached.
Nobody seems to know if the data posted to Pastebin on Saturday – including emails, usernames, passwords, account type (e.g. family, premium), date of subscription auto-renew, and the country where the account was created – comes from a fresh breach or not.
As it is, intruders have infiltrated Spotify’s systems multiple times in the past:
- In March 2009, somebody grabbed over a million password hashes values.
- More recently, in May 2014, Spotify warned Android app users of a breach.
- As well, hundreds of account details were reportedly posted to Pastebin in February.
The question is whether the latest posting hails from one of those incidents, a new assault on Spotify or from attacks on people who happen to use Spotify using something like phishing or keylogging.
When trying out the credentials that appeared on Saturday, Tech Crunch found that only one of the accounts actually permitted a log in, which Sarah Perez said “left room for doubt about the recency of this particular incident.”
But multiple users responded to Tech Crunch’s inquiries to confirm that their accounts were, in fact, recently breached.
One Spotify user said that he’d found songs added to his saved songs list that he hadn’t put there.
Another said that a third party got into his account:
I suspected my account had been hacked last week as I saw ‘recently played’ songs that I’d never listened to, so I changed my password and logged out of all devices.
Some told Tech Crunch that they’d abruptly been kicked off of Spotify – one in the middle of streaming music.
When they tried to log back in, the users found that their accounts had been hijacked by third parties who’d changed their accounts details to a new email address that they didn’t recognize.
None of the victimized users said that they’d been contacted by Spotify, although the company sent out a statement saying that it monitors sites like Pastebin for authentic user credentials, that it reaches out to users when it finds such, and that nope, there’s been no recent attack:
Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are we immediately notify affected users to change their passwords.
Although the Pastebin post was dated 23 April, users told Tech Crunch that their accounts were taken over starting last week.
More testimony from those whose accounts have been compromised:
The person was able to change my email address without a second verification, and now I’m jumping through hoops to close my account.
…and this, from a user who says somebody reset his or her email address, deleted a playlist, saved music to their device, and started following a new playlist:
…I was definitely hacked and later tried googling ‘Spotify hack news’ last night to no avail. … I noticed it last night when I opened Spotify on my phone and saw someone was using my account somewhere else.
Another Spotify user told Tech Crunch that an attacker managed to change their email address without tripping a verification message from Spotify.
Unfortunately, password reuse is compounding the pain, as it so often does. Some who reuse passwords on other sites have reported that other accounts have been breached, including their Facebook, Uber, Skype and banking accounts.
Even a long, strong, complicated password that looks devilishly hard to crack can become, effectively, a skeleton key to your whole online life if you’ve reused it.
Only time will tell – will it turn out to be a new incident, a resurfacing of credentials stolen in a previous attack, a collection of phished/keylogged logins, or … fill in the blank?
Whilst we’re waiting to find out we could do worse than fill our time ensuring all our passwords are unique and that we’re using multifactor authentication wherever it’s offered.
Source | NakedSecurity