Hundreds of Spotify credentials appear online even as it denies any hack of its servers
Spotify users apparently suffered a quite significant privacy breach after hundreds of account credentials were leaked online on April 23. Personal details such as email addresses, passwords, whether or not the account was a premium account, the country of registration and the date of auto renewal for the account were posted on text sharing site called Pastebin, and includes users from all over the world. Spotify is an audio streaming site not available in India.
Despite this leak, TechCrunch reports that Spotify is denying a hack or any theft of user records. For its part, Spotify has denied that its own security has been breached. “Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords,” said the company in a statement.
However, the account details leaked are very particular to Spotify, including information such as account type and subscription renewals. The users did confirm the intrusion. Some users reported unauthorised access and use of account such as saved songs the account owner has never listened to, or being forced to log out in the middle of sessions and discovering that their account email was changed. There are also complaints that Spotify was slow to alert them to the fact that their accounts had been compromised.
A few users reported that their accounts had been stolen, and their e-mail addresses tied to the account were now swapped with a different one. Users also reported that other accounts, including transport app accounts, emails and even bank accounts were accessed using the passwords leaked by the pasted text on the site. Users have been contacting Spotify support to recover accounts and passwords.
The important point is whether the details were hacked from the users themselves or a breach at another online service, rather than Spotify itself. As noted by TechCrunch, it is likely that the current leak could be linked to a previous data breach. While Spotify has been hacked before, that issue was addressed, it is very likely that not every user affected changed their personal information, hence a slew of new reports of unauthorized access based on the old information.