My account was taken over yesterday through the web player.
At first, I thought my password or email address had been hacked.
As a precaution, I changed both my linked email address and password. However, the hacker still had access via the web player for over 45 minutes before a Spotify employee finally terminated all active sessions.

This morning, I found three new passcode requests in the inbox of my now old email address – requests I definitely had not made. I’ve already linked a new email address to my account.

Just to test it, I tried logging into the web player with my new email and requested a code. The code can be entered as many times as you like within 20 minutes. That makes it trivial for a bot to brute-force the passcode. In 20 minutes, a hacker can try unlimited codes, and if unsuccessful, they can simply request a new code and start again.

Spotify MUST limit the number of allowed code entry attempts – and urgently. Five attempts should be more than enough