Everything You Need to Know About Spotify Data Breach

Spotify is one of the largest and most popular music streaming services out there, and they have repeatedly been hacked with user data breached and exposed online.

Millions of people use Spotify to curate their music collections. Premium users can easily create playlists and customize their library to their specific tastes. The service also “recommends” new music based on your lists and preferences. However, starting in 2016, Spotify users have been subject to repeated data breaches, sometimes even losing control of their Premium account completely.

Some users complain that their accounts have been hacked and used for listening to music they didn’t choose. Other more serious issues include users waking up and not being able to log into their accounts anymore. They have been locked out by hackers who have taken control. The scary part is Premium users have their bank and payment details in their profile, which means whoever hacked you, now has them. Unfortunately, there is no clear pattern or evidence of how hackers are able to access Spotify user accounts.

Spotify staunchly declares that their entire system is safe and secure; however, that does not explain how thousands of accounts were breached in 2016 and ended up on Pastebin. Victims have verified that the information breached was theirs, and the passwords were unique to Spotify, so they were not subject to credential stuffing. Spotify denies that they have ever been hacked and claims that “Spotify has not been hacked. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords.”

Complaints abound from users who claim their accounts have been hacked or taken over completely. Compromised accounts leave users wide open for identity theft and fraud.

Dozens of hacked accounts are actually being used to play obscure artists’ music. Discussion panelists on Reddit theorize that these hacks may be a way to rack up listening points for certain artists and DJs. This theory comes from the idea that Spotify allows independent artists to upload their music on the platform, and this is simply a way to run it up the flagpole for revenue and listens.

When Was the Spotify Data Breach?

Starting in 2016, user data showed up on a website called Pastebin used for storing text and source code. Three different data dumps appeared there with user credentials, including email addresses, passwords, account types, and home countries along with renewal dates for Premium accounts. The 2016 three-batch breach was one of many that have occurred over a short period of time. Before that, in November of the previous year, 1,000 email addresses and passwords were also leaked on the internet.

How to Check if Your Data Was Breached

Since Spotify denies ever being hacked, they do not provide a way to check your account. Additionally, users claim Spotify never informed them of the data breach and that their information showed up online.

However, if you use your Spotify account often, you should notice anything that looks out of place. If suddenly you cannot access your account even using the correct credentials, your account may be hacked, and you will want to take action quickly to secure things. You can also contact Spotify to ask for an audit of your account, but since they are pretty much in denial about any breaches, you may not get much help there.

What to Do If Your Data Was Breached

If your account was hacked or your data breached, you should take quick action. Some of the more immediate items to address are:

• Change your Spotify password immediately. If you reused that same password on other sites, change those too.
• Contact your bank or credit card for the payment method you use for Spotify and inform them of the breach.
• Keep a close eye on credit card and bank statements looking for any suspicious charges.
• Watch out for phishing emails.
• Consider signing up for identity theft monitoring with a company like IDStrong.com.

If you cannot get into your Spotify account, contact their support department and let them know you have been hacked. They should be able to restore the account back to your username with a new password.

Are There any Lawsuits Because of the Data Breach?

There are no legal pursuits regarding these issues yet. The very point that Spotify denies ever being hacked or breached makes the entire situation unique.

Can My Spotify Information Be Used for Identity Theft?

Absolutely. Identity thieves need only a small bit of information before they can match it to other data found on the dark web and put together an entire profile about you. Along with identity theft, you have to watch out for fraud and scams by keeping an eye on all your stuff, including credit reports, bank and credit card statements, and public records.

What You Can Do to Secure Your Online Life

Using Spotify, you just want to enjoy your music; we get it. However, anything you do online puts you and your information at risk. Thankfully, there are plenty of steps you can take to secure your online life and keep your details safer.

• Always sign up for 2-factor authentication when available. This helps to keep your account safe and prevents hackers from gaining access without your mobile device.
• Never, ever click a link in an email.
• Install good antivirus/anti-malware software on all your devices and run deep scans often.
• Only use one dedicated credit card for online purchases to minimize your risk.
• Keep a close eye on your credit reports, bank statements, and credit card charges.
• NEVER reuse passwords on multiple websites. This is one of the main ways that hackers gain access to your accounts.
• Keep an eye out for suspicious emails and phone calls. If you did not initiate the action, hang up, or delete the email. Most fraud and scams are perpetrated through email and phone calls.

Use common sense and never give out any personal information to anyone you don’t know. Watch your accounts closely for any suspicious activity or evidence of logons by someone other than yourself.