Spotify Denies User Details Hacked After Passwords Show Up Online (mashable.com)

← Back to Stories (view on slashdot.org)

Spotify Denies User Details Hacked After Passwords Show Up Online (mashable.com)

Posted by msmash on Tuesday April 26, 2016 @07:12AM from the tuesday-security-woes dept.

Not long ago a list of hundreds of Spotify subscribers was dumped on Pastebin. The list included email addresses, usernames, passwords, account type, and plenty of other details. Also, TechCrunch independently confirmed that some of the credentials listed were indeed legit. The music streaming service is now assuring users that there was no "large-scale" hack. Samantha Murphy Kelly, reporting for Mashable:It appears that some accounts were compromised in the past few days. According to the report, some Spotify users discovered their passwords and email addresses attached to accounts were recently changed without authorization. Others spotted new songs saved to playlists they didn't manually add. Despite users reporting shady activity, Spotify told Mashable it denies it is a part of a large-scale hack. "Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords."

39 comments

Min score:

Reason:

Sort:

maybe a link to the pastebin by AvitarX · 2016-04-26 07:15 · Score: 1

so people can know if their credentials are out there.
the ne'er do wells are going to find it anyway ffs.

--
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
1. Re:maybe a link to the pastebin by sconeu · 2016-04-26 07:22 · Score: 4, Informative
  
  You could try Have I Been Pwned?
  https://haveibeenpwned.com/
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
2. Re:maybe a link to the pastebin by Anonymous Coward · 2016-04-26 07:53 · Score: 0
  
  Pastebin deleted it, Google has it cached for now.
3. Re:maybe a link to the pastebin by Anonymous Coward · 2016-04-27 01:14 · Score: 0
  
  yep, put there your login and password to check it out!
4. Re:maybe a link to the pastebin by AvitarX · 2016-04-27 02:23 · Score: 1
  
  it didn't ask for a password, just an e-mail.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
5. Re:maybe a link to the pastebin by Cro+Magnon · 2016-04-27 03:49 · Score: 1
  
  yep, put there your login and password to check it out!
  LOL!
  "Have I been pwned?"
  "You have now!"
  
  --
  Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Yeah, sure you do... by sconeu · 2016-04-26 07:16 · Score: 2

When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords
This assumes that the cracker has not changed the contact info for the affected account.
---
[cracker]: I've cracked Joe Blow. Change contact to haxx0r@evil.com
[Spotify]: To: haxx0r@evil.com. Dear Joe Blow, please change your password.
[cracker]: Mwa-ha-ha!!!

--
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
1. Re:Yeah, sure you do... by omnichad · 2016-04-26 08:11 · Score: 1
  
  Better damage control would revert changed email addresses on the affected accounts.
2. Re:Yeah, sure you do... by s122604 · 2016-04-26 08:20 · Score: 2
  
  Of course being that this is 2016 and not 1986, even better would be to only store password hashes, not actual passwords (be they encrypted or not) in any file or database...
3. Re:Yeah, sure you do... by omnichad · 2016-04-26 08:30 · Score: 1
  
  And I bet Spotify probably does. What probably happened was people used the same password for Spotify that they did somewhere else.
4. Re:Yeah, sure you do... by omnichad · 2016-04-26 08:32 · Score: 2
  
  And P.S. Since this is 2016, those had better be salted hashes. Not only do they make for better breakfast, they make better security too.
5. Re:Yeah, sure you do... by s122604 · 2016-04-26 09:10 · Score: 1
  
  That actually makes sense, I would guess/hope that a major tier Web destination like spotify would be hashing and salting..
  I hearby rescind my outrage
Meh could be by TheCarp · 2016-04-26 07:19 · Score: 3, Interesting

Based on the redacted pastebin data, its not clear to me what the source is. This looks like output of a script.
What if the scenario really is, account information stolen from other sites is being tried against spotify accounts with the same email address, and scraping account information when it hits? That looks easily as likely to me.
If that is whats going on, then spotify is right, they are not being hacked at all, their users are being comproimised based on data taken from somewhere else.

--
"I opened my eyes, and everything went dark again"
1. Re:Meh could be by halivar · 2016-04-26 07:23 · Score: 2
  
  Or it's the result of a successful spearfishing campaign directly against the users.
2. Re:Meh could be by TheCarp · 2016-04-26 07:28 · Score: 1
  
  True.... one thing is undeniably true though. The script was written by a shit coder who echos everything out in a human readable mess rather than spitting CSV output like someone who actually had spent two minutes thinking about what he was going to do with it.
  
  --
  "I opened my eyes, and everything went dark again"
3. Re:Meh could be by Anonymous Coward · 2016-04-26 08:59 · Score: 0
  
  Now we can spend our valuable time awking the dump back to csv format.
4. Re:Meh could be by Anonymous Coward · 2016-04-26 09:52 · Score: 0
  
  It's output from a tool that takes a list of usernames and passwords from one service and tries them against another service. So Spotify is right in saying they weren't hacked in the sense that this list didn't come from a breach of their user DB. Doesn't make much difference to the affected users of course, but then, maybe they shouldn't be using the same password everywhere.
Spotify employs someone to check EVERY pastebin? by Anonymous Coward · 2016-04-26 07:19 · Score: 0

You have to admire the fucking singularity-like balls it would take to make a claim like that with a straight face. I suppose they have a separate employee checking every subreddit, every Slashdot post and every other corner of the Internet for evidence of their shoddy security?
Not Newsworthy by Anonymous Coward · 2016-04-26 07:21 · Score: 0

There is no reason an article about less than 250 obviously phished accounts should be on the front page of slashdot.
1. Re:Not Newsworthy by SumDog · 2016-04-26 07:40 · Score: 1
  
  I was about to say, it seems like it must be a Phishing thing.
Nothing to see here, please move along by NotDrWho · 2016-04-26 07:42 · Score: 1

https://www.youtube.com/watch?...

--
SJW's don't eliminate discrimination. They just expropriate it for themselves.
Proper Response by TheCarp · 2016-04-26 07:42 · Score: 1

Also, for anyone not making the connection:
> The unknown party reset their email address, deleted a playlist, saved music to their device, and started following a new playlist.
Key.... started following a new playlist. So they are listening to it. Good.
Does anyone else not see how this situation is what the Hampster Dance was made for.

--
"I opened my eyes, and everything went dark again"
Re:Spotify employs someone to check EVERY pastebin by Anonymous Coward · 2016-04-26 07:44 · Score: 0

Because computers can't be used to automate repetitive tasks.
Password reuse by Anonymous Coward · 2016-04-26 07:51 · Score: 0

Either they were hacked, or this is just another instance of password re-use similar to the supposed gmail hack a couple years ago that was nothing more than a combination of other compromised password lists grep'd to only show gmail addresses for sensationalism. The passwords that worked were only because of password re-use.
Spoofed login page? by wardrich86 · 2016-04-26 08:38 · Score: 1

Surely there are some spoofed emails with fake login pages floating around. You could phish usernames and passwords without having to actually hack the official site or service. I'm with Spotify on this one. Leaked usernames/passwords does not necessarily mean the service was hacked.
This could get much worse. by Trax3001BBS · 2016-04-26 08:42 · Score: 1

Depending on the breach or hack, a hit and run they got passwords. If they set themselves on the server for a period of time (by Spotify's very nature) it could cause unforeseeable damage to the users.
From the ToS
7 Rights you grant us
"In consideration for the rights granted to you under the Agreements, you grant us the right (1) to allow the Spotify Service to use the processor, bandwidth, and storage hardware on your Device in order to facilitate the operation of the Service"
https://www.spotify.com/us/leg...
As open as they were about this breach, they may never take or mention any steps taken to protect it's users.
Highly doubt it's a breach (of spotify) by Szeraax · 2016-04-26 09:21 · Score: 1

Based upon the pastebin data, I doubt that any sort of breach has happened to spotify unless the leaker specifically chose the people with the least complex passwords to reveal.
Look at the data. only 1 user with a 13 character password. Something along the lines of . Most are under 10 characters long. Only 3 passwords used a hyphen in them. The REST all only used alphabet and numbers 0-9. This sounds like bruteforce or dictionary attacking of spotify, as others have said, probably with a cross list from another actual breach.
Who's got spare time? by viperidaenz · 2016-04-26 09:29 · Score: 2

To log in to all these accounts and replace all the songs on all their play lists with Rick Astley?
1. Re:Who's got spare time? by Alumoi · 2016-04-26 19:50 · Score: 1
  
  Tried that but then I saw the playlists. Trust me, Rick would have been an improvement.
Re:Spotify employs someone to check EVERY pastebin by Anonymous Coward · 2016-04-26 09:33 · Score: 0

Apparently not, seeing as how they admitted themselves they have someone checking the site manually.
What point were you trying to make, exactly? Besides pointing out that you're a pedantic little wank-stain who should have stayed in his daddy's sock drawer?
Unexpected Benifit by npslider · 2016-04-26 09:55 · Score: 1

On the bright side, we now have free access to many more good playlists...
The most annoying thing... by OlivierB · 2016-04-26 09:57 · Score: 1

I was hacked, and I found out when Spotify told me my music was playing in "Luke's Van". These guys had been listening to gangsta rap by the truckload. The worst thing is that my Discover Weekly recommendations are all screwed; this was the single feature I liked the most about my account - good music recommendations. An email to and response from Spotify customer support says that there's nothing they can do about resetting my tastes. Thanks Spotify - I now hope google or Amazon comes and eats your cake

--
Artificial intelligence is no match for natural stupidity
So which is it? by CCarrot · 2016-04-26 11:25 · Score: 1

FTA:

"Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords."
Soo, if the site has not been hacked and user accounts are secure, then how are the credentials getting onto pastebin? Is Spotify giving them away voluntarily?

--
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
1. Re:So which is it? by Anonymous Coward · 2016-04-26 14:03 · Score: 0
  
  FTA:
  Soo, if the site has not been hacked and user accounts are secure, then how are the credentials getting onto pastebin? Is Spotify giving them away voluntarily?
  has it not occurred to you that there are other ways to get a user's password other than hacking into the service provider? Given that it is a relatively small list, and not a list of thousands or millions of users, it seems unlikely that these actually came from Spotify. Either the passwords have been guessed by brute-force, users' devices have been hacked/keylogged, or email addresses and passwords have been collected from another compromised site and the users have reused them on spotify.
Suuure by tom229 · 2016-04-26 12:03 · Score: 1

We monitor Pastebin and other sites regularly.

Really?

Oh ya, we have a whole fleet of guys just sitting there hitting F5 all day and night.

This lady must think were pretty stupid.

--
If it ain't broke, don't fix it.
Bullshit by Anonymous Coward · 2016-04-26 14:03 · Score: 0

I was on that list. They did NOT notify me, in fact they told me they wanted my account details AFTER they shut me out of my account. They refused to call me. They refused to discuss the hack. If they do monitor Pastebin, they do zero when there is a breach. As of noon today, my login information was still available on Pastebin. Not only is their security horrible, but they LIED about their response to affected customers. I canceled my account, and if you value your identity, you will too.
What are your favorite passwords there? by Anonymous Coward · 2016-04-26 18:59 · Score: 0

Here are some of my favorites this far:
asdasd
orgasm1
3634
notmuch
imac12
more10
please123
welcome1
Even if these fabulous passwords were hashed, it must have taken negative five seconds to brute 'em...
1. Re:What are your favorite passwords there? by Anonymous Coward · 2016-04-26 19:53 · Score: 0
  
  Phew, my luggage is safe, I don't see my password!
Pastebin is their only security method? by labradort · 2016-04-26 20:59 · Score: 1

The response that they check pastebin regularly indicates a poor level of security. Doesn't that compare to using Kijiji to see if you've been robbed recently?
Oh, and the password complexity... As someone who works in IT and has seen the passwords real people use, the ones I saw in the pastebin are about right for the length, complexity, etc. These are just people listening to music, not IT workers or similar with better practices.