Music streaming service Spotify has had its share of high-profile cybersecurity breaches, but a new situation playing out this week is less clear-cut.
On Monday, TechCrunch reported on a list of working Spotify credentials that had shown up on the text hosting site Pastebin. The dump contained email addresses, usernames, current passwords, and other information like account type.
When TechCrunch reached out to Spotify users on the list, they confirmed that the information about them and their accounts was accurate. Many noticed strange activity on their Spotify accounts, and some even had to contact Spotify customer service when they were locked out by someone changing their account email address.
The list’s origins remain unknown. It could have been put together based on old Spotify hacks, or there could be a new breach in Spotify’s network. The company denies this, though. When asked on Wednesday whether there was any update about the situation, Spotify provided the same statement it has been circulating since Monday:
Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords.
One possible explanation is that hackers acquired login data from other companies’ data breaches, and tried them against Spotify’s login portal until they found ones that worked (meaning credentials that customers had reused on multiple services). “It looks like a leak that used stolen credentials from another breach—people tend to reuse the same passwords. With that said, there’s no way anybody can really know unless Spotify confirms it,” said Michael Borohovski, the co-founder of Web security company Tinfoil Security. “It’s fairly common. Attackers seek out services that don’t support 2-factor [authentication] so that they can run lists against them.”
Though we can’t know for sure that this strategy is the cause of the problem, it’s a likely candidate if Spotify is adamant that it didn’t have an internal breach. Regardless, Spotify users would be much better protected if the company offered two-factor authentication.
Some companies seem to be taking proactive steps to discourage their users from reusing passwords. On Monday, a Slate employee (who had been using the same password for Spotify and Amazon) received a security email from Amazon:
As part of our routine monitoring, we discovered a list of email addresses and passwords posted online. While the list was not Amazon-related, we know that many customers reuse their passwords on multiple websites. Since we believe your email addresses and passwords were on the list, we have assigned a temporary password to your Amazon.com account out of an abundance of caution.
Amazon has not yet returned a request for clarification on whether the list mentioned in the email is in fact the Spotify list, but it’s a positive practice either way. You must have heard the mantra by now: Use strong, unique passwords for all of your accounts, consider a password manager, and enable two-factor authentication everywhere you can. Luckily it was only hundreds of users this time—we know it can be far worse.
