Announcements
The Spotify Stars Program: Celebrating Values Week!

Help Wizard

Step 1

NEXT STEP

[All Platforms][Other] 2-Factor Authentication

Spotify should, as a matter of good practice and safety, implement 2-step authentication.

 

Previously, Spotify enabled the option to log out other sessions other than the current session.

 

This would prevent hackers from stealing accounts, which would additionaly lead to less account hacks and less work for Spotify employees to assist in these cases.

 

More info: https://twofactorauth.org

Updated on 2018-10-18

Hi everyone, thanks for bringing us your feedback in the Spotify Idea Exchange. We’re ready to mark this idea as ‘Under Consideration’. 

 

We are currently investigating various solutions for account security for our users, e.g. 2-factor authentication. Any news regarding user-facing security updates will be posted to this thread as a status change.

 

If you'd like further information about protecting your account please visit our Support Site here.

Comments
Minasi

7 years and none? This night someone invaded my account. So what? What can I do else, but only change my pass? Com'on Spotify!!!

u6quco2kewer9lq8o0pl

Add more security options to the main Premium Family account in order to get more secure and less annoying solution

 

These days i'm victim of account hacking attempts.
I have to reset my password multiple times. As i use very strong password, i think that i'm still safe but having to reset such strong multiple times on a short period of time is really annoying.

Can we consider add a security option in order to block any connection attempts from a foreign IP using an unknow device (every device should be already known from the targeted account) ?
And i mean that it could be a (un)checkable option in the security configuration of the account in order to let the ability to add a new account when travelling out the country.

The goal is to avoid having to reset password and reconnect every single device (smartphone, Google TV, computer app or browser) everytime the Spotify is detecting a hacking attempt. When using very strong password it's really pain in the ass.

Thank your for the great app and service!

The_Orange_Frog

Added 2FA to my WordPress site the other day. Took five minutes.

 

Yes, Spotify is a much larger company with much larger systems. Yes, it would take them longer than five minutes. But it shouldn't take them over five years.

Akélé

According to Have I Been Pwned my personal information have been leaked trough YOUR system, the compromised data include: my e-mail adress (hopefully it got no personnal info in it since it's just secondary), my IP adress (hopefully it's just a generated one thanks to a VPN), and MY PASSWORD.

Someome just had access to all my playlists, listening history,...

In the European Union, a company's client data is protected by the the General Data Protection Regulation (RGPD in french).

As a result, a data breach exposes a company to heavy legal penalties (up to €20 million or 4% of annual turnover).

Mary mother of god, all this could have been avoided if you gave more §hit about your users' security.

Excuse my english, I'm a french speaker.

Rangednare

@uncoy. It's about dataleaks and stolen accounts. You can get spotify premium for 5 dollar (one-time-payment) because of stolen accounts. You get a username and password and enjoy the premium till the owner managed to dissable the payment methode.

Or they join other people with subsciption.

 

I know 2fa isn't fully secure but you can't get that easy acces anymore and you'll know in an instant when your password is leaked so you can change it fast. Start with 2fa via email/sms. That works aswell

 

Clearly Spotify isn’t going to do a thing about this. I contacted support again on the matter and this time I didn’t recieve a generic copy-paste response. So that’s one improvement in the usual response.

they assured me that they are considering 2FA and are apparently posting updates on their progress in this thread (not that I’ve seen ANY activity from spotify support here).

I replied asking for proof that what I was told is actually happening. Support skirted around my request for any sort of proof and did not provide any.

My decision at this point is to export my playlists and such then delete my account altogether and rebuild my playlists via other means.

The lack of account security and continued failure to address the matter from support is simply not worth sticking around and I’m not about to stay and show spotify that they can get away with inaction and lies and still keep their users.

Come on, Spotify. It's been EIGHT YEARS since the idea was launched. You only care about artists since you gave an option for them to enable 2FA using authenticator apps. 🇪-🇮-🇬-🇭-🇹  🇫-🇺-🇨-🇰-🇮-🇳-🇬  🇾-🇪-🇦-🇷-🇸 

 

I know a lot of Telegram accounts and channels providing and selling legit combo lists that can be used for credential stuffing. 2FA protects users from credential stuffing attempts!

t3chfre4k

I just sent spotify this message in their survey:

I'm going to gather as many people I can and file a class action lawsuit, to whom who you neglected ENISA's recommendations of using multi factor authentication stated under the GDPR law.
You're handling sensitive personal data like addresses, bank account info and PayPal billing data. It could cost you €20 million, or 4% annual global turnover in fines.
You've neglected the users demand for MFA for eight years according to the idea forum thread on this matter.

 

---------

 

So if any of you users who live in Europe and have had your accounts hacked. Please write a comment here and share your story. We need to make spotify understand what they're doing is against the law, when people clearly have been subjected to Spotify's lack of user protection by not implementing Multi Factor Authentication.

walp
They don't know your PayPal credentials, only your PayPal email address.
t3chfre4k

Well ain't that cute? I'm trying to help and this wise guy comes in to point things out.

Well thank you. With credentials I didn't mean your login per se, but they have the permission to rip money straight out of your PayPal account sir. Hackers are nifty and since Spotify's security is poor af, would you feel safe knowing Spotify doesn't give a flying fork about if they accidentally let things get into hacker's hands... like the ability to bill your PayPal account on the behalf of Spotify? Well, I for sure ain't feeling too excited about their blatant behavior towards their users.

 

PS. Thanks for the comment dude. I love the constructive ones.