Announcements

Help Wizard

Step 1

NEXT STEP

[All Platforms][Other] Real Security Measures (Personal Usernames)

[All Platforms][Other] Real Security Measures (Personal Usernames)

Avatar of Andrew1Downs
Casual Listener
2020-04-23 04:29 PM

Creating this post to hopefully get to the right folks. So a while back when you guys implemented the new security measures (changing everyone's usernames to some dumb 40 digit long string of random numbers and letters) My account started acting up, so I did what anyone else would do. I contacted your support team for help with the situation, well I don't know if she was new, didn't speak English whatever. She deleted my account without giving me a heads up or anything like that just said here's your new username and password go change your password. Thankfully I had to recreate all of my playlists because why wouldn't I want my account deleted without knowing about it or to add thousands of songs back to my account right? This, however, is what a Spotify Advisor just told me, however ""I know where you're coming from, but before we process any account consolidation or merging, we always ask our customers which account would they want to keep and close."" Which obviously wasn't the case at least in my experience. I wondered why if my username was changed though, why wasn't everyone else's? Well I guess they only care enough to "protect" the new accounts. (Accounts created after those "security measures" were added). However, if this is such a big security issue giving everyone these stupid usernames, which no other company on planet Earth does. Why doesn't every company do it? Well, there seems to be a big flaw with their logic. See if someone already knew your login details meaning they have your password and username already, they can still access the rest of your information as well. You have the ability to sign in with either your username or your email address. Either way you sign in if you go to the edit profile page they can see your uncensored email right there. Meaning they have even more of your details making your account even less secure. So begs the question if they felt this was such a huge step for our security, why did they change everyone's usernames? Because it doesn't add any additional security to you or your account at all. Some things they could do however would make it so you have to use your email to sign in instead of being able to use your username if they're worried about someone seeing your public username. Bang now there's no issue's with someone having half of their login. But wait you might say what if someone uses part of their email as their username you might ask? I'm sure we've all seen it on some website where it detects what you input for your email and doesn't let you enter the same details. Example: Email: *snip* Username: TestEmail See that wasn't so hard, and it gives your community the ability to create their own unique identifier / username. Don't think that's secure enough? I'm sure a lot of you just like I use Gmail for our personal email as it has the most security measures to it. For one a cool thing that Google does is they block IP's which are not from around your location of where you created your account. It's really quite cool. See I know all of my login details but if I turn on NordVPN and change my public IP address to somewhere across the state, or even world, then try to login even though I know my login details (because it's my account) it will not let me sign in and sends me a notification stating someone attempted to gain access to my account, shows their IP they tried using while signing in and gives me a nice bit of reoccurrence knowing that my account is safe. Another way to add real security to your system, would be by giving us the ability to add ACTUAL security steps to our accounts. The one listed above would more or less be fully implemented into everyone's account, but what could be some ways us the users could further protect our account? If we had the ability to add security steps! let us add a personal question to our account such as "What was the name of your first elementary school?" "What was the name of your favorite pet?" etc. You may say that's too easy but what about some others? The ability to add our phone numbers to our account! When you want to sign in to your account on a different device you'll get a pin that only lasts a set amount of time ensuring only you will be able to use it and gain access to your account. Another? Implement an authenticator app into the system, Google authenticator is an incredibly nice app that I use for everything that has the ability to enable it on. I use it for work, school, everything. With an app where the combination is constantly changing and only you have access to the app, as I believe you can only have it on 1 device is an amazing idea right? What about a second email? Add the ability to set up a backup email in case something happens to yours and you want to make sure no matter what you can still gain access to your account and listen to your sweet jams. The funny thing is if you go to your account overview you don't have the ability to enable any of these because, in my opinion, Spotify doesn't actually care about your security at all. If they did they would have changed all of the older accounts usernames as well instead of just the ones created after that "security measure" was implemented. If it's only for half of your users what good does that do those other customers? Exactly it doesn't do anything for them, besides, let them look like OG's because they have a custom username ;). My advice implement some REAL security measures and just give us the ability to set our own usernames. If this was such a security breakthrough every other company would be doing the exact same thing. 

Labels:
Reply
3 Replies

Avatar of Elena
Moderator
Moderator
2020-04-27 12:41 PM

Hello @Andrew1Downs!

 

Thank you for reaching out to us here on the Community!

 

We'd like to apologize that this has happened to you and we'll do our best to provide you with as much information on the matter as possible.

 

Usernames on new accounts are now a string of letters and numbers in order to be able to provide more customization options for our users. With the implementation of this feature we were able to allow users to choose the display name they would like to have, and gave them to option to edit that name as well. The information you were given that the primary function of the randomly generated usernames is for security reasons is thus incorrect and we'll make sure to pass this on to the right team, so it hopefully avoids any future misunderstandings. To confirm - the new username implementation was necessary for several technical reasons as well as for the option of the custom Display Names that we mentioned.

 

We absolutely understand your comments regarding security on Spotify and how randomly generated usernames would not necessarily be the best approach. As mentioned, the change was not done primarily for security reasons. Nevertheless, we do take account security very seriously. Currently, we have a process in place where our systems proactively reset passwords as a precaution and we send out emails notifying our users. You mentioned using a VPN - this can for example trigger our security system and you'd need to reset your password. This is as an extra layer of security which would bring any suspicious activity to your attention and allow you to take necessary measures, while at the same time proactively securing your account. 

 

Last but not least, you mention that your username changed to the new format and that you had to restore your playlists. We didn't update old usernames of already existing accounts so it sounds like you were able to create a new account with the same email address.

 

We'd recommend that you reach out to our support team again as they might actually be able to assist you in clearing up the matter. If you'd like to try another channel to talk with a team member, we'd suggest sending a DM or PM over on either our Twitter or Facebook @SpotifyCares accounts. Whichever way you choose, ask the advisor that will be taking care of you to search for other accounts with the email you're using. You can even let them know we suggested this as an action. They should then be able to shine more light on that and even help you get some of your original playlists back, as it's possible that you still have 2 accounts with us.

 

We hope this information helps and we'll be here if there's anything else you'd like to ask or report.

ElenaModerator
Help others find this answer and click "Accept as Solution".
If you appreciate an answer, maybe give it a Like.
Are you new to the Community? Take a moment to introduce yourself!

Avatar of Andrew1Downs
Casual Listener
2020-04-28 02:14 PM

Okay, so let's start here I was told by 3 different represenatives that the name change was specifically for security purposes to prevent anyone from having say part of their email or anything like that in it and to make your account more secure. Secondly by the exact same representatives as well I was told that I cannot change my username and it's only what the system assigns you. So if you give the option to change my username where is it? It's nowhere under my account details when I log in to your website. Thirdly your system for some reason does not allow me to edit any of my personal information, if I try to edit my phone number it says that my email is already in use. If I deleted my email from that text box it says please enter a valid email. Also that security "feature" you listed clearly does not work very well. If someone from halfway across the world attempts to access your account you're saying they still can? Just like the next day, it will ask you to reset your password? However, I was still able to stay logged in on my computer after a password change. So attempting to put that "security measure" to play and test it out I turned on NordVPN and changed my location to someplace in China, I was still able to access my account with no hesitation. That's not added security because anyone can still access your account and get all of your personal information. The things I had listed in my original post were security improvements instead of your FAKE security. Block the person from signing into your account on an IP across the globe as Google does, that adds security. I listed many more that would actually work, and would actually add security to your account. If you allow someone on an IP from India to access your account what's the good in that when they can see all of your personal information right there and update it, or change it to whatever they want? That makes no sense. You guys don't provide us with anything that will actually keep our accounts, and our personal info safe at all. You provide us with a sense of fake security and try to play it off like you actually care about your customers, when clearly you don't otherwise you would have had at least a few of the things I stated in my first post here implemented years ago. The fact that you don't give us the option to set any added security measures at all is just insane because yours do not work and every single theory your advisors threw at me I came straight back and dismissed it and clearly stated, proved why it was inefficient. You guys should be looking to hire a security consultant to actually make some improvements to your system, and just so you know I'm completely free if you want to get me on the phone with someone from Spotify who will actually listen I will explain in detail every single little issue I found with your system and how to fix it as well. Let me know, and keep me posted. PS: If the information you were telling me about the usernames are changeable, and it was NOT for security reasons and that's all correct then you need to inform your staff a little better as everyone from Spotify that I've spoken to has a different answer.

0 Likes

Avatar of Elena
Moderator
Moderator
2020-04-30 04:40 PM

Thank you for getting back to us @Andrew1Downs,

 

We can confirm that usernames which consist of letters and numbers were not put in place with security being the primary reason. They are unique identifiers of Spotify accounts and this is why users cannot change them. What you can edit is the display name that shows up in the app. This name is set upon account creation under the field ‘’What should we call you?’’. This display name is not unique and can be changed from the app’s settings. You can learn more about how to do that here.

 

We assure you that we’ll clear up this info within the team to avoid future confusion and we apologize one again that you were given a misleading explanation.

 

The issue you describe with your account and not being able to make changes to your personal details could be caused by having 2 accounts with the same email address in the system. This is why we recommended reaching out to the folks over @SpotifyCares that can sort this out for you. As mentioned, feel free to let them know we recommended a search in our systems with your email address.

 

The password resets that we note in our previous post are automatic and won’t always be triggered by the same factors. We cannot disclose the exact protocols they follow in order to keep the system secure. We appreciate all of your concerns and we’ll pass on your comments and suggestions about security measures further. Currently, we have a Live Idea on our Community about using two factor authentication that you can find here and you can leave a  +Vote to support it.

 

Let us know you have any further questions.

ElenaModerator
Help others find this answer and click "Accept as Solution".
If you appreciate an answer, maybe give it a Like.
Are you new to the Community? Take a moment to introduce yourself!
0 Likes

Suggested posts

Let's introduce ourselves!

Hey there you,   Yeah, you! 😁   Welcome - we're glad you joined the Spotify Community!   While you here, let's have a fun game and get…

Staff
ModeratorStaff / Moderator/ 2 years ago in Social & Random
Read more