After Breaches At Other Services, Spotify Is Resetting Users' Passwords

And now, Spotify is asking its users to reset their passwords. The popular music streaming service is "actively resetting a number of users' passwords," Motherboard reports, adding that the company is doing this because of the data breaches at other services and websites. In an email to customers, the company said, "Don't worry! This is purely a preventative security measure. Nobody has accessed your Spotify account, and your data is secure." The move comes less than a week after Dropbox began resetting its users' passwords. Earlier today we learned that the cloud storage had been hacked, and as many as 68 million accounts are affected.

Well

[JustOK]

Just changed mine. Gosh, with all these breaches, I'm up to "hunter10224"

OK, "password" is gone.

[swschrad]

from now on, changing to "asswordp". hack that, ya muthas!

Last Post

[archer, the]

With all of the breaches lately, I think it's time to get rid of the less important accounts. Adios!

Re:

[Anonymous Coward]

Well, we find it interesting even if people running the websites don't. I mean, really, what is the point in signing up for yet another account to...post in a forum...report a bug...download a picture...etc.? You know the website is just going to get hacked and any infos you left there when you signed up or used the website is going to be in the hands of hackers. If you can't trust a website to hold your data securely, then why would you consider using it?

Re:

[Anonymous Coward]

With all of the breaches lately, I think it's time to get rid of the less important accounts. Adios!

Unfortunately, on a lot of websites there is no automated way to delete an account. Instead of pressing a button to delete an account, you need to contact customer service. Of course, contacting customer service can be a frustrating, time-consuming process...

Re:

[swell]

"time to get rid of the less important accounts"

Instead of such a drastic measure, consider using a different username and password for each account. That way a hack of one account is far less likely to effect the others. It may also be slightly more difficult for trackers to link all your activities, locations and perversions. As mentioned here countless times, a password manager makes this easy, safe and convenient. Additionally, if it is a "less important account", why would you care if it is hacked?

It i

Re:

[archer, the]

I actually do use different names and passwords for each account. The email address doesn't change though, which means someone could try using it on other sites to try getting my username and resetting my password at those other sites.

Even less important accounts can have serious side effects if compromised. Say someone got hold of my /. account. No, they can't drain my bank account, but they could post stuff so threatening that law enforcement comes knocking on my door. After legwork and legal fees, I wo

*Mr. Burns finger tapping move*

[poofmeisterp]

Excellent. Exactly what we, the hackers, wanted. Now we can watch all of the users reset their passwords with the keylogger we inserted years ago.

Eeeeexcellent. Smithers, release the activation metadata!

More Security Theatre

[Anonymous Coward]

I thought this has been considered bad practice for a while now. At the beginning of the month Schneier even posted about research that suggests having users change their passwords often reduces security as the vast majority of the public are likely going to do some form of transformation of the existing password. Spotify has a huge userbase, having them all change their passwords is just perpetuating the idea (and annoyance) that frequent password changes increase security, when it actually has an opposite

Re:

[SilentChasm]

It's not security theater to reset the password to someone's Spotify account when they use that same password on another site that had their passwords leaked. Even a poor password caused by changing it too often is more secure than a known compromised one.

Re:

[dwillden]

And what if Spotify has in fact been breached and they are monitoring for just this action in order to verify the likely changes. Hack one site, get the username and pw database, hack a second site but wait until the breach from the first becomes public knowledge and people start changing their passwords (on their own or worse if universally forced by the second site admins) then collect the data and you have most likely established the password migration pattern for several of those users.

I use a crap password

[bobbutts]

I don't really care if my account were to be compromised so I use something I can remember easily.

A pointless move

[ITRambo]

If there was no breach then there is no need to force a password reset. It's an unnecessary annoyance that does not add security at all. If a hack takes place after the resets the information is still stolen, and now you need to reset it again. This never makes sense to me. It seems like a knee-jerk reaction to "do something so it looks like we care".

Re:

[ioev]

Agreed. I use a different password on every site I have an account for, yet I often use the same email address as a login. If all of those sites forced me to change my password when one of the sites was breached, it would be a huge hassle for essentially nothing.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gsslay]

Dear Spotify user,

Following recent security breaches at Dropbox we are resetting your password. Do not worry, you haven't been hacked. This is just for your security. I'm sure you've read about it in all the news, so you know this is all true, above board and nothing to be suspicious about.

Please follow this link to confirm your user name, old password, and new password.

Yours, Drop box security team.

Wait... what?

[hyperar]

Earlier today we learned that the cloud storage had been hacked, and as many as 68 million accounts are affected.

The Dropbox hack was from 2012, we all knew they were hacked.