Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spotify Denies User Details Hacked After Passwords Show Up Online (mashable.com)

Posted by msmash on from the tuesday-security-woes dept.

Not long ago a list of hundreds of Spotify subscribers was dumped on Pastebin. The list included email addresses, usernames, passwords, account type, and plenty of other details. Also, TechCrunch independently confirmed that some of the credentials listed were indeed legit. The music streaming service is now assuring users that there was no "large-scale" hack. Samantha Murphy Kelly, reporting for Mashable:It appears that some accounts were compromised in the past few days. According to the report, some Spotify users discovered their passwords and email addresses attached to accounts were recently changed without authorization. Others spotted new songs saved to playlists they didn't manually add. Despite users reporting shady activity, Spotify told Mashable it denies it is a part of a large-scale hack. "Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords."

7 of 39 comments (clear)

  1. Yeah, sure you do... by sconeu · · Score: 2

    When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords

    This assumes that the cracker has not changed the contact info for the affected account.

    ---
    [cracker]: I've cracked Joe Blow. Change contact to haxx0r@evil.com
    [Spotify]: To: haxx0r@evil.com. Dear Joe Blow, please change your password.
    [cracker]: Mwa-ha-ha!!!

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    1. Re:Yeah, sure you do... by s122604 · · Score: 2

      Of course being that this is 2016 and not 1986, even better would be to only store password hashes, not actual passwords (be they encrypted or not) in any file or database...

    2. Re:Yeah, sure you do... by omnichad · · Score: 2

      And P.S. Since this is 2016, those had better be salted hashes. Not only do they make for better breakfast, they make better security too.

  2. Meh could be by TheCarp · · Score: 3, Interesting

    Based on the redacted pastebin data, its not clear to me what the source is. This looks like output of a script.

    What if the scenario really is, account information stolen from other sites is being tried against spotify accounts with the same email address, and scraping account information when it hits? That looks easily as likely to me.

    If that is whats going on, then spotify is right, they are not being hacked at all, their users are being comproimised based on data taken from somewhere else.

    --
    "I opened my eyes, and everything went dark again"
    1. Re:Meh could be by halivar · · Score: 2

      Or it's the result of a successful spearfishing campaign directly against the users.

  3. Re:maybe a link to the pastebin by sconeu · · Score: 4, Informative

    You could try Have I Been Pwned?

    https://haveibeenpwned.com/

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
  4. Who's got spare time? by viperidaenz · · Score: 2

    To log in to all these accounts and replace all the songs on all their play lists with Rick Astley?