If you have so far managed to distant yourself from the benefits and offerings that come with music streaming services like Apple Music and Tidal, and chosen instead to stay loyal to the Swedish company Spotify, then it may be time to do some account housekeeping and maintenance. Spotify appears to be the latest high-profile company to have suffered a server breach, with hundreds of usernames and passwords allegedly belonging to active accounts making their way onto Pastebin last week. Several of those account holders with published details have since confirmed that the details are correct and that their accounts do appear to have been breached.
Victims of the Spotify breach weren’t instantly aware of the situation, and it seems that Spotify hasn’t exactly been forthcoming with details, or operated in an open and transparent manner about the server breach. Regardless, it now stands confirmed that the leaked email addresses and passwords actually belonged to valid Spotify account holders, and that several accounts had indeed been hacked.
A number of the victims have confirmed that they had seen suspicious activity on their Spotify accounts around a week back and while they did remain unaware that their account details had been hacked, they chose to change their passwords. One victim has reported that he had “suspected” that the account had been hacked due to the ‘recently played’ songs list containing entries that the account holder had never interacted with. Another victim recounted a similar issue after noticing that the ‘saved songs’ section of the Spotify app contained a number of new tracks that weren’t there previously.
There have also been instances where users have received emails from Spotify alerting them that the email address on their Spotify account has just been recently changed. While some users have managed to cling onto their accounts, others are still in the process of proving to Spotify that they are the legitimate account holders.
All of this is without a doubt pointing to the fact that a malicious third-party has been – and perhaps continues to do so – interacting with those accounts without permission. The interesting thing here is that Spotify is actually flat out denying that its servers have been breached and that any data has been removed maliciously.
Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords.
If Spotify chooses to run with that official line, then we really need to question how those hundreds of account details made their way into the public domain? For now, if you have a Spotify account and you can still access it, then we recommend you change your password immediately and log out of all devices. It’s better to be safe than sorry.