Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security Music

Spotify Denies User Details Hacked After Passwords Show Up Online (mashable.com) 39

Posted by msmash from the tuesday-security-woes dept.
Not long ago a list of hundreds of Spotify subscribers was dumped on Pastebin. The list included email addresses, usernames, passwords, account type, and plenty of other details. Also, TechCrunch independently confirmed that some of the credentials listed were indeed legit. The music streaming service is now assuring users that there was no "large-scale" hack. Samantha Murphy Kelly, reporting for Mashable:It appears that some accounts were compromised in the past few days. According to the report, some Spotify users discovered their passwords and email addresses attached to accounts were recently changed without authorization. Others spotted new songs saved to playlists they didn't manually add. Despite users reporting shady activity, Spotify told Mashable it denies it is a part of a large-scale hack. "Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords."
This discussion has been archived. No new comments can be posted.

Spotify Denies User Details Hacked After Passwords Show Up Online More

Spotify Denies User Details Hacked After Passwords Show Up Online

Comments Filter:

  • so people can know if their credentials are out there.

    the ne'er do wells are going to find it anyway ffs.

  • Yeah, sure you do... (Score:3)

    by sconeu ( 64226 ) on Tuesday April 26, 2016 @03:16PM (#51991141) Homepage Journal

    When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords

    This assumes that the cracker has not changed the contact info for the affected account.

    ---
    [cracker]: I've cracked Joe Blow. Change contact to haxx0r@evil.com
    [Spotify]: To: haxx0r@evil.com. Dear Joe Blow, please change your password.
    [cracker]: Mwa-ha-ha!!!

    • Better damage control would revert changed email addresses on the affected accounts.

      • Of course being that this is 2016 and not 1986, even better would be to only store password hashes, not actual passwords (be they encrypted or not) in any file or database...

        • And I bet Spotify probably does. What probably happened was people used the same password for Spotify that they did somewhere else.

          • That actually makes sense, I would guess/hope that a major tier Web destination like spotify would be hashing and salting..
            I hearby rescind my outrage

        • And P.S. Since this is 2016, those had better be salted hashes. Not only do they make for better breakfast, they make better security too.

  • Meh could be (Score:4, Interesting)

    by TheCarp ( 96830 ) <sjc@NospAM.carpanet.net> on Tuesday April 26, 2016 @03:19PM (#51991159) Homepage

    Based on the redacted pastebin data, its not clear to me what the source is. This looks like output of a script.

    What if the scenario really is, account information stolen from other sites is being tried against spotify accounts with the same email address, and scraping account information when it hits? That looks easily as likely to me.

    If that is whats going on, then spotify is right, they are not being hacked at all, their users are being comproimised based on data taken from somewhere else.

    • Re: (Score:3)

      by halivar ( 535827 )

      Or it's the result of a successful spearfishing campaign directly against the users.

      • Re: (Score:2)

        by TheCarp ( 96830 )

        True.... one thing is undeniably true though. The script was written by a shit coder who echos everything out in a human readable mess rather than spitting CSV output like someone who actually had spent two minutes thinking about what he was going to do with it.

  • Also, for anyone not making the connection:
    > The unknown party reset their email address, deleted a playlist, saved music to their device, and started following a new playlist.

    Key.... started following a new playlist. So they are listening to it. Good.

    Does anyone else not see how this situation is what the Hampster Dance was made for.

  • Surely there are some spoofed emails with fake login pages floating around. You could phish usernames and passwords without having to actually hack the official site or service. I'm with Spotify on this one. Leaked usernames/passwords does not necessarily mean the service was hacked.

  • Depending on the breach or hack, a hit and run they got passwords. If they set themselves on the server for a period of time (by Spotify's very nature) it could cause unforeseeable damage to the users.

    From the ToS

    7 Rights you grant us

    "In consideration for the rights granted to you under the Agreements, you grant us the right (1) to allow the Spotify Service to use the processor, bandwidth, and storage hardware on your Device in order to facilitate the operation of the Service"
    https://www.spotify.com/us/leg. [spotify.com]

  • Based upon the pastebin data, I doubt that any sort of breach has happened to spotify unless the leaker specifically chose the people with the least complex passwords to reveal.

    Look at the data. only 1 user with a 13 character password. Something along the lines of . Most are under 10 characters long. Only 3 passwords used a hyphen in them. The REST all only used alphabet and numbers 0-9. This sounds like bruteforce or dictionary attacking of spotify, as others have said, probably with a cross list from ano

  • Who's got spare time? (Score:3)

    by viperidaenz ( 2515578 ) on Tuesday April 26, 2016 @05:29PM (#51992099)

    To log in to all these accounts and replace all the songs on all their play lists with Rick Astley?

  • On the bright side, we now have free access to many more good playlists...
  • I was hacked, and I found out when Spotify told me my music was playing in "Luke's Van". These guys had been listening to gangsta rap by the truckload. The worst thing is that my Discover Weekly recommendations are all screwed; this was the single feature I liked the most about my account - good music recommendations. An email to and response from Spotify customer support says that there's nothing they can do about resetting my tastes. Thanks Spotify - I now hope google or Amazon comes and eats your cake

  • FTA:

    "Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords."

    Soo, if the site has not been hacked and user accounts are secure, then how are the credentials getting onto pastebin? Is Spotify giving them away voluntarily?

  • We monitor Pastebin and other sites regularly.

    Really?

    Oh ya, we have a whole fleet of guys just sitting there hitting F5 all day and night.

    This lady must think were pretty stupid.

  • The response that they check pastebin regularly indicates a poor level of security. Doesn't that compare to using Kijiji to see if you've been robbed recently?

    Oh, and the password complexity... As someone who works in IT and has seen the passwords real people use, the ones I saw in the pastebin are about right for the length, complexity, etc. These are just people listening to music, not IT workers or similar with better practices.

Slashdot Top Deals

There are two ways to write error-free programs; only the third one works.

Close