Woke up to my account hacked. again. this is a spotify security breach or session hijacking.

Reply

Woke up to my account hacked. again. this is a spotify security breach or session hijacking.

kaydiechii
Casual Listener

 

Plan

Premium

Country

USA

Device

PC only

Operating System

w10

 

My Question or Issue

 

 

Ok so im going to get a few things out of the way.

 

One; i only use spotify on my computer and the only authorized device is my computer, no third party apps that can play music are authorized.

 

Two; my email is very secure requiring 2fa to log in, and more importantly i NEVER RECIEVE AN EMAIL about unathorized login attempts, NOR do i recieve emails about my password being changed.

 

Three; no matter how many times i change my password on spotify to newly generated passwords, somone magically logs in and adds a bunch of shitty playlists and plays them nonstop for 30 seconds each song, we both know what's happening here. Session hijacking followed by a bot farming ad revenue. 

 

Four; my PC itself is also very secure, the session that is being played and controlling my playlist and songs is coming from an externally located source, but for some reason it doesnt show up as any third party authorized application, and there is no way to view sessions and authorized IP addresses.

 

When the **bleep** are you guys going to add 2fa or validating IP addresses or HWID to your service? This is a standard cybersecurity feature that should have been added in 2011.

 

It's been 10 years.

 

https://www.youtube.com/watch?v=THJfNJk08ds

 

**bleep** is practically a cottage industry, im not going to link to resources that provide illegal tools to illegally use backdoors in spotify's API to perform these feats, but seriously. get**bleep** together, i've been paying for premium for almost a decade now and i think im about fed up. the worst part? i cant fix the damage done to my recommended music after each breach, deleting the play history does nothing. also i cant even post this post because im getting "flood detected" on my very first post.

 

Very nice spotify.

 

Oh and its 2021 and even though im a premium user i STILL CANT HIDE SHITTY MUISC THAT MY ACCOUNT IS NOW PERMANENTLY RUINED BY YOUR OWN SECURITY BREACH. im going to have to make a new account and import my playlists because i literally cannot change my recommended music anymore, it's permanently filth and theres literally NO OPTION on PC to hide songs, dislike songs, block artists, or anything.

5 Replies

STLBatman
Gig Goer

     Only thing not mentioned is a secure vpn connection if you're the target of a hack. I would run a full diagnostics on your PC from Microsoft themselves. 2fa is not secure anymore unfortunately. Also, have you tried running the app from your phone then casting it to your PC as a workaround? 

     Only other thing I can think of at the moment is to find an actual Spotify admin on here and DM them. Outside of that, someone could be running a doxbot on you so no matter what you do, you're exposed to the hackers. 

    What, if any communication have you received from Spotify security?

kaydiechii
Casual Listener

i don't really use my phone much at all, and i only ever use spotify on my PC anyway, i very much doubt my brick of a phone could run spotify, as i've looked into it using my phone to "dictate" which artists is only device specific, so considering i use the desktop app primarily it would serve no purpose.

 

And on the topic of my own personal digital hygine, i can confirm there were no unkown connections to my machine or router in the last 24 hours, i have extensive traffic logging set up for work and unless the hijacking is coming from within the client itself, at which point anything that blocks the attacker would block the client, then there is no breach. 

 

this exact thing happened about 8 months ago to my SO's account, and cybersecurity is a large part of both our jobs.

 

as others have pointed out and as many many journalists have started to write articles and catch on, this issue is not really mitigatable or avoidable on the customer and consumer end, with out more information being given to us in our account panel (let me see my sessions and whitelist or blacklist given IP addresses (even a vpn using attacker would show up with a lot of easily loggable and tracable IP's to provide metrics for) a one size fits all "disconnect all sessions" button is absolutely useless if the attackers are using a backdoor. 

 

Maybe 2fa isn't perfect, but its a **bleep** of a lot better than over 5 years of spotify play history and carefully curated algorithim whispering going up in smoke for a single 8 hour period while i was sleeping having my account completley destroyed. 

 

Im quite sure 2fa would have stopped this, unless the attack bypassed sessions alltogether.

 

https://www.youtube.com/watch?v=whQ8UBoz-To


theres a lot of information in this video about exactly how this happens and why - i know you're trying to help and you're not affiliated with spotify in any way, but this issue seriously needs more visiblity, the fact that there are hundreds of thousands of compromised PREMIUM accounts on tap for anyone to buy for a few cents speaks volumes about how widespread this issue is. the fact that buying a 15 cent premium account pays for itself within a day of running a bot on it is disgusting, the whole system is absolutely horrible and incentivizes this behavior.

 

STLBatman
Gig Goer

I understand your frustrations! I will try to escalate this to the admin team. 

Eni
Moderator
Moderator

Hey @kaydiechii

 

We're sorry to hear that you feel like this and we'd like to help you sort this out. 

 

It sounds like you've already followed the steps here. In this case, creating a new account is a good idea. You can follow the steps in this guide to transfer your music collection over to the new account so you don't miss anything.

 

Also, if you decide to use the new account, you can cancel your current subscription following these steps and re-subscribe on the new account. 

Lastly, you can hide songs in the Discover Weekly and Your Release Radar playlists in the desktop app by clicking on the  next to the song's added date. 

 

If you need help with anything else, just let us know.

EniModerator
Help others find this answer and click "Accept as Solution".
If you appreciate my answer, maybe give me a Like.
 
“Music acts like a magic key, to which the most tightly closed heart opens.”– Maria von Trapp

andmpel
Casual Listener
Hello cyber security expert here.

I would ensure you change not only your spotify password, but also your email/social account password you use to login.

Also run a antivirus scan using a tool such as Malwarebytes to remove any potential viruses that could be harvesting your credentials.

Best of luck.

Thanks.
SUGGESTED POSTS