Announcements

Spotify secretly passes credentials to Facebook (and reactivated my Facebook account)

Spotify secretly passes credentials to Facebook (and reactivated my Facebook account)

First of all, I've seen the various 'Disconnect from Facebook' tutorials on this site, Reddit and the rest of internet, but I don't think they apply. Please read my message first.

 

I've deactivated my Facebook account months ago, and I've listened to spotify numerous times since, both on my desktop and on my mobile phone. I'm quite certain I've logged in and out a couple of times as well, although I'm usually just logged in, so not very often.

 

This morning I logged in into Spotify on another PC (Windows, desktop), and got an e-mail from Facebook saying that my account was re-activated by the Spotify application. 

 

Surprising, because I don't recall ever having linked my Spotify account to Facebook in the first place, and my account is not linked to Facebook as far as I can tell. For instance my account page says that I have the option to connect to Facebook. My desktop client shows a similar possibility. No mentioning of any existing connection.

 

AccountPage.png

 

 

The only thing is, since it's been a while since I actively logged in into Spotify, I didn't recall whether I should log in using just username or complete e-mail, so after user name failed (wrong password, I assume), one of my attempts was using the e-mail address. Since my current Spotify password is the same as my old Facebook password, this set of information would be valid login info for Facebook.

So note that I didn't use the Facebook login! I did only attempt to log in into Spotify 'normal' way using credentials that happened work as well for Facebook. 

That didn't even work, and eventually I logged in using just my username and my spotify password.

 

So my suspicion is that Spotify, if a login fails, also attempts to use those same credentials to log in into Facebook, and that is what caused reactivation of my account.

 

This suspicion is confirmed by Facebook itself. Since my account was now active, I logged in to de-activate it again, and saw that Spotify was added as an app only today. Before de-activating it, I changed my Facebook password to 60 characters of garbage, so an incident like this won't happen to me again, but still it's worrying that his happened.

 

It means that Spotify actually provides Facebook with my Spotify credentials, even if I don't have a Facebook account. Hopefully it's just as a fallback so Facebook only gets the incorrect credentials, but still, this is undesired behaviour. It shouldn't do that at all, unless users select the 'Log in with Facebook' button.

 

Brief order of events:

  • Tried and failed to log in using incorrect Username and/or password
  • Tried and failed to log in using Email and Password which happened to match my old Facebook account too. This is probably what triggered activation of my Facebook account.
  • Logged in using my actual Username and password, which worked fine.
Reply
11 Replies

I've been trying to unlink my Facebook from Spotify so I can log in without Facebook, and it's proving to be a nightmare. It wouldn't surprise me at all if there it stuff going on behind the scenes with Facebook and Spotify. Probably back-handers to keep people active on Facebook for as long as possible.

This kind of stuff is unacceptable, and it's partly why I'm trying to shrink my digital footprint. It seems these companies are as corrupt as our governments.

In all the years I have been using Spotify I have NEVER seen the constant streams of messages about hacked accounts, payment problems and login problems until Facebook started to dominate the scene.

 

It's manipulation disguised as progress, and the older and wiser you become the more wary you are of it,.

 

I am so happy that I do NOT use Facebook and have never given Spotify my bank/card details. The combination has proved itself to be woefully problematic and lacking in security.

 

Eventually all Spotify users will be FB users.

 

People who share my wish for privacy and security will all have left, or will not have signed up at all. The non-FB option login is being progressively reduced to small print, while that big blue login button just smacks you in the face.

 

It was bound to happen, but I don't think people realise the extent of linking all accounts to social media. It's gonna be hell in the future.. Get out now while you still can!

Well, I didn't link them. That's the whole point!

 

In fact I have never (or at least rarely) linked any websites or applications, apps and games to Facebook. In some cases you are required to link them to unlock certain features, but in those cases I just do it without.

 

But Spotify basically tried automatically if the credentials I entered would work for Facebook too (without any existing link), and that's what's wrong here.

That's absolutely mad! If it doesn't say in Spotify's terms and conditions that they may pass your details to other companies, then there's something very wrong here..

The best way to avoid all this is to create your Spotify account with a different email address from the one you use for facebook (past or present).

 

That will give you a Spotify username of your choice, and no connection at all with facebook. You will be able to follow / be followed by other Spotify users. You won't have a profile pic, but if you're worried about privacy, then that's a good thing.

 

It's not that hard, but people just prefer for facebook to be everywhere over any privacy they might have left.

osorniosSpotify Star
Help others find this answer and click "Accept as Solution".
If you appreciate my answer, maybe give me a Like.
Note: I'm not a Spotify employee.

That doesn't make sense. I can't make a different e-mail address for every application, website or service I subscribe to, and I shouldn't. 

 

I *do* admit that the passwords should have been different, but then still, Spottfy shouldn't have secretly tried this.

I does make sense. You don't have to make an email address for every service, but it's good practice to have a spam email address to give when an app, website or service ask for one.

 

I have a personal email which I use for actual emails, and another one to give when a website asks for one. I understand that having a separate one for facebook is kinda overkill, but I wouldn't trust fb with any of the other two, and that's just me.

 

For Spotify, all I'm suggesting is to use a different email address from the one you use in fb, and definitively stay away from using fb's login system, since it's unreliable at best.

osorniosSpotify Star
Help others find this answer and click "Accept as Solution".
If you appreciate my answer, maybe give me a Like.
Note: I'm not a Spotify employee.

I completely agree with you about FB's privacy issues, which is why I canceled my Facebook account in the first place. But for many people Facebook is an important application, just like Spotify or whatever else, and they want e-mail notifications from all those media to end up in their central mailbox, and not in some spam-account.

 

And it's hard to make a distinction anyway, because I kinda trusted Spotify, but still that is the application I'm complaining about now. This is not Facebook's fault. I didn't even use the Facebook login. The Spotify application just decided by itself to try if my given input would work as a Facebook login.

The fact that my e-mail address was the same may be silly, but it shouldn't have done that at all.

 

Of course easy to prevent, and I should have done it before by using at least a different password, but reality is that many users only have one e-mail address and often recycle passwords, and that Spotify is either accidentally or deliberately passing this information on to an unrelated third party.

 

All the work-arounds are nice, but they are just a precaution against Spotify leaking sensitive information.

As a solution I would like to see that Spotify simply changes this behaviour.

yeah having same issue, my problem is that i cannot use FB where i am so i just need to change over to email credential seems simple to me, im on the verge of pulling the plug & im a premium family member, its not worth it if i cannot control my own account.

Yeah me too. I just signed up for spotify with my gmail address, which used to be used for facebook, but I changed my facebook email ages ago.

 

I get an email from facebook saying the account was trying to reactivate and is it me...

 

It's a bit suss. I'd like some answers about this. This is disshonest on the behalf of Spotify and Facebook. As I clearly did not connect Facebook to my new Spotify account at all.

Suggested posts