Unrecognized / Unauthorized account use by web player - suspected bots

Reply

Unrecognized / Unauthorized account use by web player - suspected bots

3rc
Regular

This is an issue that's been plaguing me for several months, and if it continues I may cancel my subscription and just subscribe to Google Play Music.

 

Several times now I have reset my password, logged out of all devices and removed access by any apps that might be the culprit. I've enabled 2FA through Facebook (how I log in) and removed ALL app access there. I've also completely cleared my cookies/cache in all my browsers, disabled extensions and anything that could possibly have access. I've even purposely not logged into the account from any browser - only the native Mac and/or Android apps.

 

It seems that web players are somehow gaining access to my account and playing music that I not only have never heard of, but is also not relevant to my listening history. Sometimes when I'm listening to music, it will stop and just start playing stuff that's completely unfamiliar. Whenever it happens, I see "Web Player" listed as one of the available devices.

 

The first few times I noticed this, the music I was listening to would stop and start playing something completely different. Even if I changed it back to something within one of my playlists, within 1-2 minutes it would change again. This hasn't happened in a few weeks since the last time I reset my password & cleared everything, but after noticing something similar yesterday I felt it necessary to make this post.

 

Here's a screenshot of a playlist that started playing while I was not using my account on any devices:

Screen Shot 2019-03-12 at 7.20.32 AM.png

 

Two things make me suspect that these are just bots using my account:

1) The active device isn't always changed to the web player, rather continuing on whichever one I'm using - so obviously it's not someone actually trying to listen to music.

2) The majority of what gets played is in the vein of "SoundCloud Rap" - artists that have a presence on SoundCloud and are obviously using several methods of promotion on their channels, either paid or cross-channel with other accounts.

 

To me, this indicates some shady programmatic efforts to inflate play counts for these artists. I know this is something that's naturally going to happen, where people abuse the system for their own gain, and I'm sure Spotify actively takes measures to combat these efforts to garner "false plays", just as false clicks are an issue in the world of Pay Per Click advertising.

 

By this playlist containing "Campaigns" in the title, I would assume this user account is at the very least complicit in what's going on. If you look into their brand, it appears they offer music management + "placement" services as well: http://www.3sixtymusicgroup.com/

 

Side note: Sorry if it seems like I'm putting your brand on blast (especially if you're legitimate), I'm just trying to convey some patterns here that may help get to the bottom of a pretty significant issue. I'm sure there are plenty of entities involved in similar (or worse) exploits, yours just happened to be immediately apparent.

 

While I understand that things like this are bound to happen, MY ISSUE is that Spotify frankly does not offer enough visibility or control to ensure that things like this don't continue to happen. Nevermind the nuisance of my music stopping, having to endure the sonic abuse of this garbage music or its effect on my listening profile and the recommendations I get in Discover Weekly (one of my favorite / most-used features in the whole platform).

 

The fact that I can't see account access details, restrict or even report them is incredibly frustrating. Having limited visibility suggests that Spotify isn't truly concerned about the privacy of its users, especially considering we have absolutely no way to know whether this is an actual breach warranting concern or just some sort of exploit to hijack streaming use.

 

Please, Spotify, address these issues and provide us with enough assurances that security risks are actively being minimized. Provide us with better tools to report & combat these issues.

 

Your service has changed the way I listen to and discover new music, and I've advocated to the point of evangelicism with everyone I know. But this issue does not bode well for my future as a subscriber.

 

Plan

Premium User

USA

 

Device

Macbook Pro (Mid 2015), Samsung Galaxy S9

 

7 Replies

Re: Unrecognized / Unauthorized account use by web player - suspected bots

isaumyam
Composer
Hi, reading your long message the first question that comes to my mind is that I would like to know from where did you change the password of your account. I mean did you do it on your computer or in your phone or tablet?
You might be thinking why I'm asking this nonsense question, the reason behind that is if someone else is playing music from your account despite you changing the password, that means each time you change the password, the bot/bad guy knows what your password is. So, there may be some keylogger in your system that is grabbing and passing the password.

Moreover, do you use Spotify API anyhow? Cause that could also cause this problem. For example, take a look at this stack overflow post: https://stackoverflow.com/questions/24705253/play-full-spotify-track-inside-my-own-website-using-spo...

Just covering all the ground for getting a proper answer for your issue.

Re: Unrecognized / Unauthorized account use by web player - suspected bots

3rc
Regular

Thanks for the reply!

 

I changed my password from my normal Chrome instance, then a fresh one (no extensions), then an incognito one, and once from my phone.

 

I also don't use the Spotify API in any way. The first time I tried troubleshooting the issue, I revoked access to third party apps directly from the Spotify account settings before changing my password, etc.

Re: Unrecognized / Unauthorized account use by web player - suspected bots

Rock Star 11
Rock Star 11

Hi @3rc,

 

First, I recommend you to check out this article, please make sure you follow all the steps in it, including contacting Spotify. This way, Spotify's support team will be able to take a closer look to your account.

 

if you see any odd in Devices Available (find this in the Now Playing bar on mobile, or by clicking: in the bottom-right on Desktop).

If you do, you can toggle off the Show local devices only setting on your Android device. Here's how:

  1. Tap Your Library.
  2. Tap Settings. 
  3. Tap Devices.
  4. Switch on Show local devices only and try Connect again.

For additional information, you can check out this Staff comment.

 

Thanks :)

BruneliciaRock Star 11
Help others find this answer and click "Accept as Solution".
If you appreciate my answer, maybe give me a Like.
Note: I'm not a Spotify employee.

Re: Unrecognized / Unauthorized account use by web player - suspected bots

3rc
Regular

Thank you for the reply! I sent a request, they reset my password (again) and I guess I'll just have to keep my fingers crossed that this stops happening.

Re: Unrecognized / Unauthorized account use by web player - suspected bots

Oa9
Visitor
  1. @3rc after reading your post i can confirm that i have the exact same issue... Spot on! It has been away for a while now but today it  came back on my phone in the middle of the night. . Have you noticed anything since they reset your pw? 

Re: Unrecognized / Unauthorized account use by web player - suspected bots

3rc
Regular

Yup, the day after someone actually deleted my wife and added 4 email addresses to my Spotify for Family account (at least one of which was a Yandex email). I reset my password AGAIN from my phone's browser, and since then have only logged into the Mac + Android apps.

 

Since then, I haven't seen anything playing on my account, but I have seen Web Players pop up under Devices randomly before disappearing. 

 

I also went ahead and ran ESET and BitDefender on my Mac just to be sure there's nothing that could be compromising my password, and neither found any threats with a full scan. Even if that WERE the case, it's highly suspect that Spotify is the only thing I'm having any sort of issue with, given I do all of my online banking and shopping from this machine.

 

When chatting with support I was told there's no way to gain visibility on where any of this web player access is coming from. To say the least, I'm extraordinarily unhappy with this whole situation.

Highlighted

Re: Unrecognized / Unauthorized account use by web player - suspected bots

basdej
Regular

I have the exact same thing super annoying and it also!! Listens to rap music. Changed my Facebook password, because that is how I log in, did not help. But today I realized that I can also login to spotify with my email address. So I pressed forgot password and also changed that one (can't find any option in my account settings btw).

 

Fingers crossed.....

SUGGESTED POSTS