TechCrunch reports that the list was published on Pastebin, a website frequently used by hackers to dump large amounts of data in plain text. TechCrunch contacted a random sampling of the users in the list and was able to verify that many of the credentials are valid.
The accounts appear to have been compromised mere days ago. The data includes users from across the world and details the subscription status and next renewal date for each member.
Several of the victims that TechCrunch contacted said they suspected their account had been accessed by a third-party recently. One saw songs appear in the “recently played” list that he hadn’t listened to and another observed songs being added to his saved songs list.
Some were forced offline while streaming music as the attacker changed the account’s email address. Spotify customer service was able to restore access to the account but at no point did the company proactively reach out to victims or reset passwords of its own accord.
In a statement to TechCrunch, Spotify insisted it has not been hacked. “Spotify has not been hacked and our user records are secure,” the company said. “We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords.”
However, doubts still remain. The suspicious activity only began in the past week and the Pastebin dump is dated 23rd April. Although it is impossible to confirm whether the data is recent, the account hijacking of several users who are on the list should be a cause for concern.
It is unclear what the people behind the attack are doing with the accounts they compromise. Usually, account details would be sold on the dark web, a commodity to be traded. Here, the perpetrators appear to be actually using the profiles though, playing music with Spotify and thus alerting the real owner to the breach.
Some of the victims told TechCrunch that their other online accounts, including Facebook and Twitter, have also been hacked recently because passwords are frequently reused across services. The attackers could be using the Spotify credentials as a gateway to other more lucrative platforms.
Spotify users should reset their passwords as soon as possible, choosing a different password for each online service. It may also be wise to review the list of currently signed-in devices in Spotify’s account section online, deleting any that aren’t recognised or look suspicious.
