Security breach in Spotify premium accounts

Reply

Security breach in Spotify premium accounts

Cota
Newbie

 

Last tuesday, for the second time in 1 year i believe, someone hacked into my spotify premium account and changed the email adress. For the second time, Spotify suggested this was a problem of mine (security issues). 

 

I have many accounts in different apps and websites (like everyone else), but this is the ONLY account i have ever been hacked.  Someone had access to my pasword (which is totally unbreakable and diferent from the one i use in other accounts). I have to say i NEVER enter my Spotify password on ANY device that isnt my own, so in all the time i had a premium account, i only haved logged into my personal cellphone and my ipad (which never leaves my house). my question is, how is it possible to just change the email linked to my account without ANY validation on Spotify side? shouldnt you ask at least that the original email confirm this is a valid action? or ask the uzer that is chancging the registered email to send a bank statement? how can Spotify just decide this fraud occured because of security issues of my devices and not take any responsability? 

 

 

 

22 Replies

Billy-J
Rock Star 24
Rock Star 24

Hey @Cota, welcome to the community 🙂

Sorry to hear that you think someone else has gained access to your Spotify account.

 

In this case, I would check out this Spotify Answer for the next steps to take.

Hope this helps 🙂

Billy-JRock Star 24
Help others find this answer and click "Accept as Solution".
If you appreciate my answer, maybe give me a Like.
Note: I'm not a Spotify employee.

Konvect
Newbie

Yeah, I just changed my password and cancelled my premium membership. It's such a shame to see Spotify blaming its users for getting hacked instead of fixing the problem. Got my playlists deleted and the hacker created a playlist called "Get Hacked". This ain't it chief

Billy-J
Rock Star 24
Rock Star 24

@Konvect,

 

I understand your concern. Safety and security is Spotify’s number #1 priority, and I do apologize for any inconvenience this has caused for you. 

 

You can follow these steps to protect your account here: https://support.spotify.com/account_payment_help/privacy/protect-your-spotify-account/. 

 

Let me know if you have anymore questions 🙂

Billy-JRock Star 24
Help others find this answer and click "Accept as Solution".
If you appreciate my answer, maybe give me a Like.
Note: I'm not a Spotify employee.

Azaida
Casual Listener

Not a good response. The forums are full of people getting hacked time after time, using secure and different passwords, Facebook and anything else you can add to protect it. And the response is “change your password”, not matter what extra details you provide. 

 

Considering to to move to Apple Music unless I get a proper response. You are being hacked! Admit it and solve it!

Jemi
Spotify Legend

Hey @Azaida@Cota and @Konvect,

 

We're very sorry to hear this has happened to you, and we understand your frustration regarding this. Account security is no laughing matter, and keeping your accounts secure is something we take very seriously.

 

As much as we'd like to help you out from here, it looks like your accounts need be looked into. You'll find all the necessary steps on this article. Please make sure to go through the article all the way to the end.

 

Let us know if there's anything else in the meantime. 

 

matthewmotamedi
Casual Listener

There was a data breach of about 338 confirmed accounts so far, but I don't think Spotify has notified any of these account owners. You may have been 1 of the people on the text file list of usernames and passwords. I got a notification from haveibeenpwned.com and did nothing about it until some random kept playing weird music on a device I did not recognize while I was trying to listen on my normal device. It was annoying, I kept getting pulled out of my song because we started battling for control of what device and what song the audio was to be heard on. I started playing really loud and obnoxious noise music for the hacker while I changed my password.

I HIGHLY RECOMMEND CHECKING IF YOUR ACCOUNT WAS COMPROMISED VIA (HaveIBeenPwned) which is a service that checks your email against the database containing password leaks, data breaches, and pastes. I would not have known if I didn't have notifications from that site from years ago.

data breach spotify.PNG

Billy-J
Rock Star 24
Rock Star 24

Hey @matthewmotamedi.

 

Please read @Jemi's reply for further help regarding this.

Have a nice day 🙂

Billy-JRock Star 24
Help others find this answer and click "Accept as Solution".
If you appreciate my answer, maybe give me a Like.
Note: I'm not a Spotify employee.

matthewmotamedi
Casual Listener

I know the proper steps to take after something like this, but Spotify needs to be 100% transparent in these events instead of acting like people are bad at picking passwords. Even if you have 2 step verification or log in using Facebook tied to two-step verification.

Vicctc
Newbie

Yes, it happened with us as well.  No Spotify support.  No capacity to engage anyone at Spotify on the Hack.  

 

Awful service.

Jannis9494
Newbie

Exactly the same thing happened to me.

 

I was also alerted by haveibeenpwned today.

All the hacked contacts were spotigy premium members.

 

This is outrageous and I will take this up with my press connections,

 

Kind regards

 

Cfr link

https://pastebin.com/HUdMa8Rx

Billy-J
Rock Star 24
Rock Star 24

Hey @Jannis9494@matthewmotamedi@Vicctc@Cota@Jannis9494.

 

I understand how you guys feel about your accounts being part of a security breach. Spotify can assure you, as mentioned in this support article stating: 'We can assure you that our platform and user records are totally secure. Account takeovers usually happen because of a breach on another service. If you use the same password for several services, they all have the potential to be compromised if one has a security breach'. 

 

I'd recommend checking out this guide for some more steps on protecting your account so that only you have access to it.

 

I hope this helps! If you need help with anything else, feel free to start a new thread and the community will be happy to help 🙂 

Billy-JRock Star 24
Help others find this answer and click "Accept as Solution".
If you appreciate my answer, maybe give me a Like.
Note: I'm not a Spotify employee.

Insane666
Casual Listener

This week someone also logged into my account, changed password and all of my playlists! I was mad because i've been working on my playlist for ages haha. But isn't there like an 2auth stuff? So your account is more protected.

G_Loc
Gig Goer

@matthewmotamedi - My account was compromised as well.  Was listening to Spotify on my laptop this morning when I got notification that my music was playing on some device that I do not own.  HaveIBeenPwned indicated that my e-mail address was found in a 3 day old pastebin (removed already) which contained 366 other e-mail addresses.  I was able to find a hacking forum which listed the raw contents of the pastebin and sure enough, my Spotify credentials are listed.

 

Since it wasn't the same one you listed, I wonder if they've compromised thousands of accounts and are only releasing the login credentials little by little so that they don't arouse suspicion?

anecdote_queen
Casual Listener

Hi

And me. 

Got an email in French saying my account email and password had been changed. Had to reset my account. then this week I get a notification from "have i been pwned" saying that my spotify account details have been posted in a pastebin, as with the other users on this thread. 

I am frustrated by Spotify's lack of announcement on this, and lack of apology or information on what happened.

Surely sign in security could be increased if there is a known issue going back months as on this thread. just add a step to get email address and password address change verified via users email. 

I have logged  a support chat asking for full explanation of how my data was lost. 

Sarah

 

kirps
Casual Listener

Same here.  I was trying to listen to music when only the free option was only available to me. I have a family premium account. When I logged in I can see my wifes names was listed twice. One with her email address and the other with zasad89@**bleep**.com. Reset all my passwords and all user accounts passwords.

 

2 days later which is today I have got another bogus account wiht my name and the email address was elafifaco-7792@**bleep**.com. 

 

Both accounts were **bleep**.com.  Been throguh the spotify support chat where the guys just reset my password again which I did 2 days ago and hope for the best. 

kirps
Casual Listener

Why is yop mail  beeing **bleep**

 

I think Spotify have been hacked and trying to keep it quite.  That email address is nortoriuos for people hacked as when I googled it SOny was hacked with this email host.

jono_83
Newbie

My premium got hijacked late August/early September! I knew things were weird (where the f*** are these playlists coming from?!) but didn't realize what was happening until October 2 when they changed switched me to a family plan! Spotify's customer service handled it totally great when I called, and I appreciate that.  I was baffled at the time as to how it happened BUT THEN THIS WEEK I google my email to see what comes up and in the first two pages was a dump of spotify usernames and passwords!! There was my email and my password, in plain text! The page isn't even sneaky about what it is! It's a whole bunch of spotify logins! If there was a breach and they said nothind that's pretty shitty.

user-removed
Not applicable

Spotofy is in breach of the General Data Protection Act by not taking steps to notified those concered of the hack.

 

Article 34(1) states:


The GDPR states that communication of a breach to individuals should be made without undue delay,” which means as soon as possible. The main objective of notification to individuals is to provide specific information about steps they should take to protect themselves.




anecdote_queen
Casual Listener

I have now also googled my email address and all my spotify account details are there including my date of birth and password in plain text. 

I have now spent the whole weekend using last pass to start to change all my passwords... 

SUGGESTED POSTS