After Breaches At Other Services, Spotify Is Resetting Users' Passwords

And now, Spotify is asking its users to reset their passwords. The popular music streaming service is "actively resetting a number of users' passwords," Motherboard reports, adding that the company is doing this because of the data breaches at other services and websites. In an email to customers, the company said, "Don't worry! This is purely a preventative security measure. Nobody has accessed your Spotify account, and your data is secure." The move comes less than a week after Dropbox began resetting its users' passwords. Earlier today we learned that the cloud storage had been hacked, and as many as 68 million accounts are affected.

Pepe

>
   

Re:Pepe

Mod parent up.

Well

[JustOK]

Just changed mine. Gosh, with all these breaches, I'm up to "hunter10224"

Last Post

[archer,+the]

With all of the breaches lately, I think it's time to get rid of the less important accounts. Adios!

Re:Last Post

+5 interesting? really??

Re:Last Post

With all of the breaches lately, I think it's time to get rid of the less important accounts. Adios!

Unfortunately, on a lot of websites there is no automated way to delete an account. Instead of pressing a button to delete an account, you need to contact customer service. Of course, contacting customer service can be a frustrating, time-consuming process...

Re:Last Post

Well, we find it interesting even if people running the websites don't. I mean, really, what is the point in signing up for yet another account to...post in a forum...report a bug...download a picture...etc.? You know the website is just going to get hacked and any infos you left there when you signed up or used the website is going to be in the hands of hackers. If you can't trust a website to hold your data securely, then why would you consider using it?

Re:Last Post

[swell]

"time to get rid of the less important accounts"

Instead of such a drastic measure, consider using a different username and password for each account. That way a hack of one account is far less likely to effect the others. It may also be slightly more difficult for trackers to link all your activities, locations and perversions. As mentioned here countless times, a password manager makes this easy, safe and convenient. Additionally, if it is a "less important account", why would you care if it is hacked?

It is unfortunate that you need an 'account' to make a comment or even simply visit some sites. I'm not allowed to see most Fecebook pages because I don't have an account. Much of the account info you give is sold to data collectors, of course. Lots of paranoia among site owners too. A user moderated system as seen right here can go a long way to eliminate unwanted comments without the need for an 'account' or the site owner's detailed attention. Presumably these moderation systems will improve with time and other creative solutions will develop.

OTOH, anonymous surfing, as done with Tor Browser and similar systems, is making site access far more complex. Many sites require a Captcha in addition to account info before they will let you in. You may have to do a Captcha for each page you visit on a site. Some service providers, like your local library, may not even let you access the internet with Tor.

Re:Last Post

Even if they have an automated way of requesting account deletion you can't trust they actually do it. Facebook has profiles of people who've never even held accounts, you think they actually delete your data if you ask them to? Ashley Martin actually charged a fee for account deletion, and that was just another confidence scam.

You just have to assume that every site you sign up for is going to hold your data until the business goes bankrupt or gets acquired, and then your data is simply sold.

Re:Last Post

[archer,+the]

I actually do use different names and passwords for each account. The email address doesn't change though, which means someone could try using it on other sites to try getting my username and resetting my password at those other sites.

Even less important accounts can have serious side effects if compromised. Say someone got hold of my /. account. No, they can't drain my bank account, but they could post stuff so threatening that law enforcement comes knocking on my door. After legwork and legal fees, I would be able to prove I didn't post that stuff, but that's still a lot of stress and wasted time&money.

why not all users passwords?

Change them all?

*Mr. Burns finger tapping move*

[poofmeisterp]

Excellent. Exactly what we, the hackers, wanted. Now we can watch all of the users reset their passwords with the keylogger we inserted years ago.

Eeeeexcellent. Smithers, release the activation metadata!

More Security Theatre

I thought this has been considered bad practice for a while now. At the beginning of the month Schneier even posted about research that suggests having users change their passwords often reduces security as the vast majority of the public are likely going to do some form of transformation of the existing password. Spotify has a huge userbase, having them all change their passwords is just perpetuating the idea (and annoyance) that frequent password changes increase security, when it actually has an opposite effect.

https://www.schneier.com/blog/archives/2016/08/frequent_passwo.html

Re:More Security Theatre

So you want them to keep the same password they probably used for dropbox?

Re:More Security Theatre

[SilentChasm]

It's not security theater to reset the password to someone's Spotify account when they use that same password on another site that had their passwords leaked. Even a poor password caused by changing it too often is more secure than a known compromised one.

Re:More Security Theatre

[dwillden]

And what if Spotify has in fact been breached and they are monitoring for just this action in order to verify the likely changes. Hack one site, get the username and pw database, hack a second site but wait until the breach from the first becomes public knowledge and people start changing their passwords (on their own or worse if universally forced by the second site admins) then collect the data and you have most likely established the password migration pattern for several of those users.

where do it stop?

there's a story on a non-specific "breach" every day now, with preemptive password resetting - where does this stop, when we reset every password constantly in a constant rotation?

I use a crap password

[bobbutts]

I don't really care if my account were to be compromised so I use something I can remember easily.

Re:I use a crap password

Heathen! Heretic! NAMBLA member!

Proactive

it says a lot about how much Spotify cares about its service and customers. Other companies should learn from Spotify and do the same.

A pointless move

[ITRambo]

If there was no breach then there is no need to force a password reset. It's an unnecessary annoyance that does not add security at all. If a hack takes place after the resets the information is still stolen, and now you need to reset it again. This never makes sense to me. It seems like a knee-jerk reaction to "do something so it looks like we care".

Re: A pointless move

That's like arguing that it makes no sense to clean yourself, because you get dirty anyway.

Re:A pointless move

[ioev]

Agreed. I use a different password on every site I have an account for, yet I often use the same email address as a login. If all of those sites forced me to change my password when one of the sites was breached, it would be a huge hassle for essentially nothing.

Re:A pointless move

[HBI]

Agreed, this is just dumb.

If I had a Spotify account, i'd be closing it right now. I have done so with every firm that forces a mandatory password change, from banks to message boards. My logic is that their security sucks and forcing a pw change just lengthens my misery working with them.

Re:A pointless move

Agreed.
This is just contempt for their customers. I hate changing passwords, now I have yet another one to forget and not even for any good reason.

Re:A pointless move

[gsslay]

Dear Spotify user,

Following recent security breaches at Dropbox we are resetting your password. Do not worry, you haven't been hacked. This is just for your security. I'm sure you've read about it in all the news, so you know this is all true, above board and nothing to be suspicious about.

Please follow this link to confirm your user name, old password, and new password.

Yours, Drop box security team.

OK, "password" is gone.

[swschrad]

from now on, changing to "asswordp". hack that, ya muthas!

Wait... what?

[hyperar]

Earlier today we learned that the cloud storage had been hacked, and as many as 68 million accounts are affected.

The Dropbox hack was from 2012, we all knew they were hacked.

Re:Wait... what?

We knew there was a hack. We didn't have access to a database of the compromised accounts. That has changed. From what I understand Spotify is only resetting accounts that match up with the pwned database.