Spotify security issues with premium service - Beware-

Reply
Highlighted

Spotify security issues with premium service - Beware-

Newbie

 

 

 

 

I have had some serious issues and figured I would include them here since email response is very poor with spotify support.

 

I have included my correspondence below so that others can take precautions that this does not happen to them.

 

 

I used their contact form to explain that my account had been hijacked.

I explained that i changed my login with facebook password and used log off all devices.

I deleted all the Hijacker created playlists (russian pop artists)  

I recreated my playlists and believed issue was resolved.

Less than 10 hours later.. Hijacker was back.. but this time he communicated to my young daughter and myself with foul language and threats in Playlist titles.

Obviously I was angry and frustrated.. I followed the procedures to log out all devices and changed passwords throughout so that this could not happen.

 

 

 

Here is the first response from Spotify.:

-----------------------------------------------------

Hello

 

Thank you very much for getting in touch with us and letting us know what's going on with your account. We’re sorry to hear this has happened to you while using Spotify. 

 

We have been looking into your case and will investigate further. While we do this, we’ve also taken the precaution of blocking all users -- including you for now -- from accessing your account. 

In order for us to verify that you are the rightful account holder, please provide the following:

* The earliest Spotify payment receipt you have available 

* Your PayPal Invoice ID 

* The name of the payment method you use, date when you started making payments, the date every month are you billed, and any transaction ID if there is one 

Once we have the above information we will proceed to investigate. In the meantime, we strongly suggest you change the password for the e-mail address, and any Facebook profile, you have associated with your Spotify account.

Thanks and look forward to hearing from you. Let us know if you have any questions. 

 

Regards, 

Daniela

 

Spotify Customer Support

 

Did you know we have an extensive help section on our website?

 

 

------------------------------

Response

----------------

I responded with the requested information.. although hesitantly since it seemed to be WAAYYY more info than they need to verify my account.  

But I gave them the benefit of the doubt since I am a loyal customer.

 

----------Response from Spotify----------

 

Hey there,

Thank you for sending the requested information. We really appreciate your time and effort throughout this process.

We've located your account and can confirm that an unauthorized party has taken it over. However, please be assured your full payment information has never been displayed and that we've always applied rigorous security practices to protect your information.

 

Here’s what we’ve done in response:

* PAYMENT DETAILS ERASED

During the investigation, we erased your payment details for security purposes. To be able to resume payments, please re-enter your payment details here. 

* PASSWORD

As mentioned in our previous email, we strongly suggest you change the password of the email address, and any Facebook profile, associated with your Spotify account. You can make sure you're the only one currently logged into your Facebook here.

Note: As long as you change your Facebook password, then you'll be able to log back in with that password for now. If you haven't already done so, we recommend using a brand new password, one free from Facebook, Spotify, or any other service. 

Here’s what you can do to help prevent this from happening again:

* SECURITY

Please note that if you use Spotify on public computers you should always ensure that you log out before leaving. Simply closing theSpotify application does not constitute logging out. To log out, you go to File > Log Out. You should also log out of Facebook.com if you used it. 

We hope this resolves your issue. If you need anything else please let us know.

Have a great day!

 

Thanks,

 

Lee

 

Spotify Customer Support

 

---------------Response---------------

Response is obviously cookie cutter since they are telling me to do exactly what I have explained I have done prior to contacting them.

?!?!?!?

but fine..

 

-----------My response to them -----------

I understand.. What I am more concerned with is that your "Process" does not work..  You have a LOG ALL DEVICES OFF option in your settings which should have resolved my issue immediately.. It seems that this "Feature" does nothing at all..  This concerns me going forward with spotify.

 

They respond with more basic internet lessons--

 

Hello ****

 

Thank you for getting back to us. We understand your concerns in keeping your daughter's Spotify account safe. Rest assured, we're here to help you make sure this doesn't happen anymore.

 

As your daughter's Spotify account was created through Facebook, we strongly recommend you update her Facebook account's security as well. Keep in mind, you can make sure you're the only one currently logged into your Facebook account here. We suggest using this in conjunction with the Sign Out Everywhere feature of Spotify.

 

We also advise that you run regular security checks on all computers and devices you use. Remember that when logging into any services that require a password, the URL bar will have a padlock symbol. If you don't see one, do not provide your details. 

 

Please don't hesitate to get back to us if you need anything else. We're always here for you.

 

Take care,

-------------My spotify account has again been REHIJACKED.  this time from someone who LOVES singaporan male pop stars.

 

----------Final straw-------------

 

Dear Spotify support:

Please Delete the above account..

You made it clear that you logged everyone out and changed information.. 

I followed the instructions referenced above.. reset up my account and took valuable time recreating playlists etc..

Less than 12 hours later.. my account was again Hijacked.. This would be impossible as I have changed all PWs associated with the account.. Therefore.. Clearly this is a security fault in either the application or your processes..

As I mentioned above.. I will no longer be using that account and request that you delete it.

I do NOT want you to leave my free account active.. I have deleted my information and canceled my premium subscription above.. I will check to make sure this has been completed after 72 hours.

 

Yours Truly,

A dissatisfied customer.

 

(Of course since I had bought into the spotify ecosystem so strongly. (ps4, Home stereo reciever, Roku etc etc.) I am stuck.

So I created another account with different info and CC's. at no time was any recompensation for time or trouble offered.)

 

=====

I have included the above correspondence to find out if anyone else has encountered problems along the same lines?

 

Hopefully this will spur some deeper resolution to these issues.

 

 

 

 

 

 

3 Replies
Highlighted

Re: Spotify security issues with premium service - Beware-

Regular
I've recently had two separate instances like this. My account is hooked up to facebook with two form authentication. It would be extremely hard to hack the auth for Facebook without having access to my phone.

Yet people are continuously adding themselves to my premium family plan. Additionally, someone's account somehow linked all their playlist info to my account one day and started playing from their own device while I was listening. My wife's account got hacked and I had to provide my bank statement to spotify.

My conclusion about all of this is that Spotify either does not give a **bleep** about security, or their engineers are inept to handle the job.
Highlighted

Re: Spotify security issues with premium service - Beware-

Newbie

This this is the exact problem I am having right now. My playlists go missing, random foreign playlists appear, and now and again my music I'm listening to gets hijacked.

 

I have logged out everywhere, changed all passwords linked to the account, within 24 hours someone is back in.

 

I really like Spotify's service, I use it all the time but I have cancelled my subscription because I have serious doubts about their security.

Highlighted

Re: Spotify security issues with premium service - Beware-

Regular

This is a 7 month follow-up post to the original issue. I decided to give Spotify another chance at Premium and only limit it to a single device plan - not family. Unfortunately, it continues to have major security issues. Here are my findings:

 

- At the end of my billing period I find that my subscription plan has changed from single to family. Someone has changed the subscription plan, and my payment info cannot be removed from the account. I have to go through customer support for them to manually do this.

 

- Logging out all users from the Account website does not prevent them from logging back in. You need to change the password for trusted devices. Authentication can be cached on the client side, so users can immediately start using your account again. This is likely how most people abuse the system. My email has 2 factor auth, so I'm still at a loss how they get access to this.

 

- Check the account for registered Offline Devices that don't belong. Found some Android devices hanging around here added recently - I use iOS.

 

- I strongly feel that Facebook authentication is not the way to go for Spotify. It looks like they cache their authentication information. You can still log into my account using my older facebook credentials (wth??). So once someone has that information, you're pretty much done.

 

TLDR - Spotify is still the best music app out there but the security on premium is forcing me to choose another provider. If you decide to keep your Spotify Premium, check you Subscription Plan regularly.

SUGGESTED POSTS