Announcements
The Spotify Stars Program: Celebrating Values Week!

Help Wizard

Step 1

NEXT STEP

Spotify Connect Exploit - Spotiamb 0.2.1. - hijacks user accounts to play songs.

Solved!

Spotify Connect Exploit - Spotiamb 0.2.1. - hijacks user accounts to play songs.

Hi all,

Just wanting to draw attention to this. It appears that there is an exploit for Spotify Connect which uses the Spotiamb 0.2.1 extension to hijack user accounts and play a set list of songs. Affected users will see "Spotiamb 0.2.1" appear as an available Spotify Connect device. The result is that their account will, multiple times throughout a day at random intervals, play albums by these two artists, amongst others:

 

Dungeonsd: https://open.spotify.com/album/66xm00as0QlKB2dOE6fUpH

 

Tony Oldam: https://open.spotify.com/album/3m0eumQjUDrLyAwJmkFMpi

 

These tracks will interrupt anything the user is currently playing. 

 

Other users are experiencing the exact same behaviour

https://community.spotify.com/t5/Help-Desktop-Linux-Windows-Web/Random-unsolicited-song-hijacks-play...

 

https://community.spotify.com/t5/Help-Accounts-and-Subscriptions/Spotify-hacked-by-a-pro/m-p/1178797

 

Could a member of the Spotify team please comment on this? It is somewhat concerning that there appears to be an unaddressed explit capable of making user accounts play any tracks they wish.

 

Many thanks.

 

 

Reply

Accepted Solutions
Marked as solution

yochimo135, the actions I took earlier this week has worked good for me so far.
As described above;
1. Revoke all App access
2. Logout all devices
3. Change password
4. Logout all devices

I'm not sure which action (or combination) that solves the issue, but I made them all to be sure.

I wonder how this came to happen, if it's a brute force, exploit or some kind of leak.
As far as I know, the combination of username/password I have for Spotify is unique and therefore couldn't have been leaked from some other dump.

View solution in original post

Marked as solution

Solved.

 

I got excellent help from the Spotify support staff.

 

We went through all the motions: facebook access, revoking, etc..  All of which I'd covered on my own.

 

And then, when we finally got to the point of cutting the cord and restarting my account, a very (very) important question got asked.  "Can you login with your Spotify account?"  My huh?  I'd logged in with FB from the get-go.  "Looks like you logged in once with a Spotify account five years ago.  Do you remember that password?"  

Nope.  But, hot-darn that was the solution.  

 

While I'd done everything under the sun to lock down my accounts, you know, since 2015, I'd left a backdoor to Spotify in the form of an account and a password I didn't care about at the time.  Who'd have thought that five years later I'd be more concerned that my AI overlord's suggestions would be torn asunder by hacking?

 

Long story short?  Changed and revoked the password.  Bonus?  The help was able to move my Discover Weekly goodness back to its original goodness.

 

All is right in the world.  

View solution in original post

Marked as solution

Hey folks,

 

Thanks for reaching out to us about this 🙂

 

We just wanted to let you know that if you don't have any luck with the solutions that other users have posted here, you can always reach out to our Customer Support team here. They can help make sure that your account is fully secured.

 

Hope that helps!

View solution in original post

157 Replies

EDIT: I have edited the original post to include more detail.

Happening to me now with "silent Evening" MediEvol. Ugh, sick of having my account hijacked... First by some mac laptop, then when I change my password. Still nothing.

Login to spotify.com, go to your account, click disconnect all connections,
or something similar to that effect. It should kick the spotiamb off your
account!

Sorry, "sign out everywhere" is the button you need to press.

"Sign out everywhere" doesn't seem to fix it for me.

Hey @Forsh

 

This sounds like something for our Accounts team to take a look at. Could you reach over to them at https://support.spotify.com/contact-spotify-anonymous/? They'll take a look behind the scenes for you.

 

If you receive an automated reply, get back to it and this will make sure your email gets through to the correct team. Also, if you post your 8 digit case # here, we'll make sure the right team get onto this for you too.

 

I hope this helps out.

 

Spotify's response to this issue.

 

" Thanks for your email. We understand that you're having issues with Spotiamb 0.2.1. 

Spotiamb wasn't created by Spotify. Please contact them and they'll help out with this.

We're always here if you have any problems with the Spotify service itself though. Just let us know!

Cheers,

Marc"

Come on Spotify! Give a **bleep** about those paying to keep you in business.

That is insane. None of us have voluntarily had anything to do with
Spotiamb. This is an issue that the Spotify team need to deal with.



Knock on wood, so far I have not been hijacked for a few hours. This was happening every 5 or 6 songs.

What I did...

Logged in to Spotify in my browser.
Went to "offline devices" and removed any that I was not sure of (two).
Then, "Set device password".
Logged out of spotify.
Logged back in with the new device password.

 

Fingers crossed.

Previously, I was logging in with Facebook. Changing my Facebook password did not help. Either did setting an App password in Facebook.

 

I too have been hijacked by Spotiamb 0.2.1

 

Not sure if it is coincidence but I have had to investigate slow internet speeds, and apporx 1gb is being uploaded over my network each day. I have no idea why

 

How do i get rid of SPotiamb and what other potential problems can this hack have?

Hello @colesl4w @SuperBario @adker @Forsh. Staff here.
 

After further investigation it seems some accounts may have been accessed by attackers guessing the password after multiple tries. 

 

Although it is listed as a Connect device, by no means was the Spotiamb player used in the compromise of accounts. The reason why it appears as a Connect device is because someone logged in with that user's credentials.

 

We recommend resetting your password and disconnecting from all devices using this link. If this does not solve the issue for you we will gladly help out. Send us a message over here then post your case number here.

 

We'll get it looked into immediately.

So I've done what you suggest, deleted all devices (which included a PC laptop that absolutely isn't mine) and changed my password but Spotiamb is still visible on my device list. The message link you supplied throws a 404, so you need to fix that.

 

Possibly related: this message came up when I logged back into my account on my iPhone. I don't have more than three devices.

 

Getting a bit spooked by this. Please sort it out. I gave Apple Music a spin but decided to stay with Spotify, couldn't see any compelling reason to change. Beginning to wonder now.

IMG_0226.PNG

Hey @willboot

 

Are you still having issues after signing out everywhere and resetting your password?

Are you noticing anything else unusual on your account?

 

If so, it'd be best to get in touch with our Accounts team here.

 

Let us know how you get on.

So far today there's no sign of Spotiamb on my device list, so fingers crossed. 

 

Can I repeat that the link you give to Accounts doesn't work?

 

Also note that in the attached recently played list, only 4 out of the 12 - Sam Cooke, Leon Russell, Ed Askew and ZOFO duet - were artists that I actually chose to play myself!

spotiamb.jpg

@willboot Thanks for letting us know!

 

The link's working fine on our end. If you need to use it, try pasting it into an incognito window:

https://support.spotify.com/contact-spotify-anonymous/.

 

Let us know if you see anything else unusual from this.

After messaging the support team and following all the instructions, my account is still being invaded by Spotiamb.

Hey @bastos. We'll get this looked into asap. Someone will be in touch via email shortly. 

Ugh... Its the same issue with me. I changed all passwords. I can't listen to my music in peace. 

 

Why is this a mystery? Am I not paying for it?

@amarmitra

 

Hello:

 

What I can do is tag 

Suggested posts