Spotify, the premium music streaming service, may have experienced a global breach.
TechCrunch asserts that it stumbled across a Pastebin posting containing hundreds of Spotify account credentials.
“After reaching out to a random sampling of the victims via email, we’ve confirmed that these users’ Spotify accounts were compromised only days ago,” the outlet noted.
But this is a situation of 'he said, she said': Spotify says that it “has not been hacked” and its “user records are secure.”
It’s always possible that, thanks to password reuse, that the information could have come from somewhere else, and that the credentials just happen to work on some Spotify accounts. But TC said that the information is Spotify-specific: in addition to emails, usernames and passwords, the Pastebin file details the type of account (e.g. family or premium), when the subscription auto-renews, and the country where the account was created.
“It’s unclear, then, where these particular account details were acquired,” TC said.
The outlet also noted that when it reached out to the victims in the Pastebin listing, they said that they knew they had experienced a Spotify account breach because suddenly there were, say, songs that had been added to the saved songs list or that came up in the recently played list.
Spotify, for its part, flatly disavows the breach.
"Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords," a Spotify spokesman told the Telegraph.
Regardless, it’s a good reason to remember vigilance.
“Death, taxes and data breaches are the three certainties in life as we now know it, and … hackers never sleep,” said Adam Levin, chairman and founder of IDT911, via email. “For anyone using Spotify, or a similar digital music subscription service, it is critical on a daily basis to monitor any financial account tied to those services for the slightest hint of fraudulent activity—not just in the wake of a breach.”
Obviously, the use of diverse passwords for all accounts can minimize exposure of personal identification information.
“And, refrain from over-sharing every morsel of your life on social media,” said Levin. “Should you be impacted by this compromise, think carefully before you click on any link and never authenticate yourself to anyone who contacts you—lest you become a victim of a phishing scam and an unwitting co-conspirator in the theft of your own identity.”
Photo © dennizn/ Shutterstock.com