Spotify Denies User Details Hacked After Passwords Show Up Online (mashable.com) 39
Not long ago a list of hundreds of Spotify subscribers was dumped on Pastebin. The list included email addresses, usernames, passwords, account type, and plenty of other details. Also, TechCrunch independently confirmed that some of the credentials listed were indeed legit. The music streaming service is now assuring users that there was no "large-scale" hack. Samantha Murphy Kelly, reporting for Mashable:It appears that some accounts were compromised in the past few days. According to the report, some Spotify users discovered their passwords and email addresses attached to accounts were recently changed without authorization. Others spotted new songs saved to playlists they didn't manually add. Despite users reporting shady activity, Spotify told Mashable it denies it is a part of a large-scale hack. "Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords."
maybe a link to the pastebin (Score:1)
so people can know if their credentials are out there.
the ne'er do wells are going to find it anyway ffs.
Re:maybe a link to the pastebin (Score:5, Informative)
You could try Have I Been Pwned?
https://haveibeenpwned.com/ [haveibeenpwned.com]
Re: (Score:1)
it didn't ask for a password, just an e-mail.
Re: (Score:2)
yep, put there your login and password to check it out!
LOL!
"Have I been pwned?"
"You have now!"
Yeah, sure you do... (Score:3)
When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords
This assumes that the cracker has not changed the contact info for the affected account.
---
[cracker]: I've cracked Joe Blow. Change contact to haxx0r@evil.com
[Spotify]: To: haxx0r@evil.com. Dear Joe Blow, please change your password.
[cracker]: Mwa-ha-ha!!!
Re: (Score:2)
Better damage control would revert changed email addresses on the affected accounts.
Re: (Score:3)
Re: (Score:2)
And I bet Spotify probably does. What probably happened was people used the same password for Spotify that they did somewhere else.
Re: (Score:2)
I hearby rescind my outrage
Re: (Score:3)
And P.S. Since this is 2016, those had better be salted hashes. Not only do they make for better breakfast, they make better security too.
Meh could be (Score:4, Interesting)
Based on the redacted pastebin data, its not clear to me what the source is. This looks like output of a script.
What if the scenario really is, account information stolen from other sites is being tried against spotify accounts with the same email address, and scraping account information when it hits? That looks easily as likely to me.
If that is whats going on, then spotify is right, they are not being hacked at all, their users are being comproimised based on data taken from somewhere else.
Re: (Score:3)
Or it's the result of a successful spearfishing campaign directly against the users.
Re: (Score:2)
True.... one thing is undeniably true though. The script was written by a shit coder who echos everything out in a human readable mess rather than spitting CSV output like someone who actually had spent two minutes thinking about what he was going to do with it.
Re: (Score:2)
I was about to say, it seems like it must be a Phishing thing.
Nothing to see here, please move along (Score:2)
https://www.youtube.com/watch?... [youtube.com]
Proper Response (Score:2)
Also, for anyone not making the connection:
> The unknown party reset their email address, deleted a playlist, saved music to their device, and started following a new playlist.
Key.... started following a new playlist. So they are listening to it. Good.
Does anyone else not see how this situation is what the Hampster Dance was made for.
Spoofed login page? (Score:2)
This could get much worse. (Score:2)
Depending on the breach or hack, a hit and run they got passwords. If they set themselves on the server for a period of time (by Spotify's very nature) it could cause unforeseeable damage to the users.
From the ToS
7 Rights you grant us
"In consideration for the rights granted to you under the Agreements, you grant us the right (1) to allow the Spotify Service to use the processor, bandwidth, and storage hardware on your Device in order to facilitate the operation of the Service"
https://www.spotify.com/us/leg. [spotify.com]
Highly doubt it's a breach (of spotify) (Score:1)
Based upon the pastebin data, I doubt that any sort of breach has happened to spotify unless the leaker specifically chose the people with the least complex passwords to reveal.
Look at the data. only 1 user with a 13 character password. Something along the lines of . Most are under 10 characters long. Only 3 passwords used a hyphen in them. The REST all only used alphabet and numbers 0-9. This sounds like bruteforce or dictionary attacking of spotify, as others have said, probably with a cross list from ano
Who's got spare time? (Score:3)
To log in to all these accounts and replace all the songs on all their play lists with Rick Astley?
Re: (Score:2)
Tried that but then I saw the playlists. Trust me, Rick would have been an improvement.
Unexpected Benifit (Score:1)
The most annoying thing... (Score:2)
So which is it? (Score:2)
FTA:
"Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords."
Soo, if the site has not been hacked and user accounts are secure, then how are the credentials getting onto pastebin? Is Spotify giving them away voluntarily?
Suuure (Score:2)
We monitor Pastebin and other sites regularly.
Really?
Oh ya, we have a whole fleet of guys just sitting there hitting F5 all day and night.
This lady must think were pretty stupid.
Pastebin is their only security method? (Score:2)
The response that they check pastebin regularly indicates a poor level of security. Doesn't that compare to using Kijiji to see if you've been robbed recently?
Oh, and the password complexity... As someone who works in IT and has seen the passwords real people use, the ones I saw in the pastebin are about right for the length, complexity, etc. These are just people listening to music, not IT workers or similar with better practices.