In a strange and disturbing move, a list containing hundreds of Spotify account details, including email addresses, usernames, and passwords, has appeared online. Despite this, however, Spotify is claiming that it “has not been hacked,” and is asserting that its “user records are secure.”
Spotify claims that it hasn't been hacked.
As such, it's a mystery how this list could have appeared on the text-sharing website PasteBin without Spotify having been hacked. And, as TechCrunch adds, it also remains unclear “where these particular account details were acquired, given that they are specific to Spotify, rather than just a set of generic credentials that just happen to work on Spotify.” The inclusion of Spotify account details, like subscription plans, signal that these are definitely the music service's user credentials.
In addition to the email and login information, the Pastebin post also details the type of account (e.g. family, premium), when the subscription auto-renews, and the country where the account was created. The list of accounts is not limited to the U.S., but includes a number of users from all over the world.
Folks with compromised accounts told TechCrunch that there's been strange activity on their accounts: songs have been added into lists, and recently played tracks have been updated by some other listener. Other users were simply booted out of their streaming session while in Spotify, and found that their credentials had been changed when trying to log back in. Spotify apparently hasn't reached out to victims, but as TechCrunch adds, this contradicts the service's only public statement on the matter:
Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their password.
It seems this issue happened at some point last week; the PasteBin entry is dated April 23, but at the time, no news sources were reporting on the issue. Certain users have also found that a number of further accounts, including Facebook, Uber, Skype, and even their bank accounts, have been accessed since the credentials matched their Spotify username and password.
You can prevent this from happening by downloading a password manager like 1Password
It’s unclear why the unknown third-parties responsible for this incident would want to actually use the Spotify user log ins to play music – especially as that alerts the users to the breach. Typically, a hacker would want to simply collect then re-sell the credentials, which makes this particular incident odd.
Of course, we'll keep you updated with further information as we receive it. In the meantime, check your Spotify account isn't exhibiting weird behaviour, and as always, use different, secure passwords for each of your online accounts.