Announcements
The Spotify Stars Program: Celebrating Values Week!

Help Wizard

Step 1

NEXT STEP

Is Spotify doing enough to protect their customer (600+ logins/passwords published on PasteBin)

Is Spotify doing enough to protect their customer (600+ logins/passwords published on PasteBin)

Plan

Premium

Country

Canada

 

Device

Google Pixel 2

 

Operating System

Android 9

 

My Question or Issue

I recently found that my Spotify Premium account have been compromised. While I was listening to my music on my way home from work, I noticed random music started playing, and multiple devices which I don't recgonized appeard in available devices. After a little research and reading based on many of the discussion on here, I concluded that my account have been hacked, and my login credentials have been compromised. Following the steps provided by Spotify support, I changed my password and logged all devices out. 

 

After review many many other similar post, where Spotify Support provides the same old answer. So I started question if Spotify is doing enough to protect us as customer. In my personal opinon, I think both the provider, and the customer have a responsibility to protect personal information. I, as a customer have to make sure I have a complex password and the provider is doing their dudilgent on securing the customers information.  This lead me into doing more research on Spotify security measures. I am no Security expert, but just based on a hour or so of digging, I found some concerning valnerablilities. 

 

Findings

First of, I found that Spotify, a tech company that exceeds $6 billion in profit lack any modern authenication. What I mean by modern authenication is there is no prevention of brute-force attack, or impossible travel activity, activity from infrequent country, etc. 

 

Most tech companies such as Facebook, Google, Microsoft, already provide modern authenication to avoid data breach. It's scary that the submittion of this post actually requires CAPCHA, but Spotify login page doesn't have any validation via CAPCHA even after many failed attempts to login.  Without any CAPCHA validation, hackers can launch brute-force attack tools, where it would go through various combination of password, attempting to login. 

 

I also used HaveIBeenPWNED.com to validate the severity of my situation. Results were very alarming, as website reported that my credentials have been published to a publicly facing website designed to share content and is often an early indicator

of breach. This was discovered along with 551 other accounts this month. Gaining access to Spotify is a small issue, but having a copy of my password is critically alarming. Hackers can take that published credentials and attempt to login to all major online services, and gain access to even more personal information.

 

Conclusion

Sorry for the long post, but I want to bring awareness to everyone who are running into the same issue.  This continues to frastrustrates me, and based on my reading Spotify isn't doing anything to fix this issue.  So where does Spotify actually prioritize their investment?  Doesn't seems like it's the security of their customers. 

 

I will likely be ending my premium subscription soon, and use an online services that better protects their customers. Would love to hear everyone thoughts on this matters. 

 

Reply
11 Replies

Hello @revelationzero!

 

I'm sorry to hear you feel that way. I'll try to clear things up a bit. 

 

Rest assured that Spotify's Data Protection team is doing it's best to provide users with better security options. For instance, they're considering a 2 factor authentication, you can find more info about this here.

 

In the great majority of the cases, this logging info is compromised because it's used in other unsafe services or because it's not strong enough. That's why Spotify strongly encourages users not to use the same password we use for other services. 

 

For extra info on how to protect your account, I'd recommend checking out this Support article 🙂

 

Hope this helps and make sure to let me know if you have any other thoughts about this!

Jose_MSpotify Star
Help others find this answer and click "Accept as Solution".
If you appreciate my answer, maybe give me a Like.
Note: I'm not a Spotify employee.

Hi @Jose_M, 

 

Thanks for your response. 

 

It is still concerning that 2-factor authenication is only in consideration, rather than in development, even thought there are numberous cases on compromised Spotify accounts. It's almost as seems that Spotify is playing catch up, rather than being an industry leader. 

In regards to your note on Spotify's invulnerable, there are many published list on PasteBin.com on Spotify Premium accounts. These clearly shows the invulnerability of Spotify, rather than other services. I do admit, my original password was not very strong, but I haven't had any breach where my credentials are found on PasteBin.com in clear text. Since Spotify makes it easy for hackers to use Bruteforce attack tool, it's only a matter of time between simple and complex password to be broken. So I am still not convince that Spotify Data Protection team is doing enough to protect my personal information. 

Just found out my Spotify credentials have been posted in clear text on pastebin.com as of today, along with 600 other accounts. 

Here's a screenshot I took from Pastbin, and my credentials are listed on here. 

 

{snip - Community Moderator edit for sensitive info}

 

Yup, seems my account was in this dumb. Opened spotify today to see a random web player device connected, playing songs.

 

What **bleep** me off though is how impossible it is to actually remove a device connected to your account!

 

I pressed the sign out everywhere button, signed back in on my device to find this random device STILL playing songs through the web player?!

I then changed my password to something new, nothing like any other password I use. I sign back in and guess what, this random device IS STILL CONNECTED AND PLAYING.

 

How the f*** do I remove a random device from my account and why haven't Spotify implemented an easier solution to this?!

Hello there!

 

Spotify takes their users' security very seriously. In this case, I'd strongly suggest reaching out to Spotify here so they can get further look into this and take necessary actions.

 

Have a nice day 🙂

Jose_MSpotify Star
Help others find this answer and click "Accept as Solution".
If you appreciate my answer, maybe give me a Like.
Note: I'm not a Spotify employee.

Thanks for the response, Jose_M, but I'm not sure how I should contact Spotify to resolve this issue. There are many methods of contacting you guys, but I still don't feel like you guys are doing enough. 

I’m sorry but considering it isn’t enough. 

 

The lack of security is astonishing for a company of Spotify’s size. 

Hey @revelationzero and the rest,

 

Thanks for dropping by.

 We are trying to keep the Spotify experience as hassle-free as possible.

We'd recommend voting for this idea, to let the teams know 2-factor verification is something you'd like to see implemented.

 

Until then, we suggest taking a look at this page where we give helpful tips on how to keep your account safe.

If you do notice strange activities on your account, please follow these steps.  Our Customer Support team will secure your account and help out more!

 

Keep in mind that the more valuable personal information like full payment details and your personal address will not be visible to any person that might gain access to your account.

 

Hope this clarifies some things. Let us know if you have further questions.

Have a nice day and happy listening!

Same thing with Netflix and many other popular services. Thats nothing new. These sites doesn't force the user to secure their account. When a database get leaked and the user use the same email and password everywhere expect this thing to happen very easily.

We are in the year 2022 and still this is happening and today I was a victim. Serious thinking of stopping premium subscription.

Suggested posts