[BreachExchange] Has Spotify been hacked? Firm denies breach as thousands of alleged passwords leak

Destry Winant destry at riskbasedsecurity.com
Thu May 25 00:58:04 EDT 2017


On 22 May, a little-known hacking collective using the name "Leak Boat"
released what they purported to be over six thousand usernames and
passwords from Spotify, one of the world's most popular music streaming
services. The Swedish firm has denied being breached.

The Leak Boat hacking group, which is using a Twitter account with the
handle @SecTeamSix, initially claimed the trove of credentials amounted to
9,000 records. However, upon inspection it included 6,410 entries. All
appeared to be linked to Spotify's free subscription option.

Yet not everyone was convinced Spotify had actually been compromised or

Troy Hunt, a security expert who manages breach notification service 'Have
I Been Pwned' <https://haveibeenpwned.com/> said in response to initial
reports the leaked credentials were likely taken from breaches of other

When tested on the official Spotify sign-up page, a chosen sample of twenty
usernames contained in the alleged leak were not available for use.

IBTimes UK did not log in to any accounts.

When contacted, a spokesperson for Spotify stressed that no new "hack" had
taken place.

The firm said in a statement: "Spotify has not experienced a security
breach and our user records are secure. We do however pay attention to
breaches of other services, and take steps to help our users secure their
Spotify accounts when those occur.

"Many people use the same login and password combination for multiple
services. Therefore, we review sites for leaked user credentials which
might be used to access Spotify. Having become aware of such a security
breach, Spotify's security team identified that some of the leaked user
credentials might correspond to Spotify accounts.

"We take a proactive approach to security and have reset all of the
relevant passwords and sent the customers an email asking them to create a
new one."

For anyone concerned their email addresses or passwords may have been
leaked online, you can search Hunt's service free-of-charge. If your
details – likely collated from huge breaches such as Dropbox, MySpace and
Twitter – appear online it is highly advised to change them.

In February 2016, hundreds of alleged Spotify Premium account details
were posted
a PasteBin user with name 'Drakia12'. It followed a similar incident in
November 2015, when over 1,000 emails and passwords
from the streaming service were released into the wild.

In all prior cases, Spotify maintained its core service was not breached by
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170524/cd0a5d86/attachment.html>

More information about the BreachExchange mailing list