Spotify resets some account passwords citing ‘suspicious activity’

Music streaming giant Spotify has notified an unspecified number of users that the company has reset their account password, but has left dozens of users asking why. In an email, some Spotify users were told their password was reset “due to detected suspicious activity,” but gave no further details. Anyone else getting emails from Spotify […]

Music streaming giant Spotify has notified an unspecified number of users that the company has reset their account password, but has left dozens of users asking why.

In an email, some Spotify users were told their password was reset “due to detected suspicious activity,” but gave no further details.

Anyone else getting emails from Spotify about suspicious activity? No compromise, at least not on my account, just seems to be getting hammered

— Chris Barsby (@Barsbeh) May 16, 2019

Suspicious activity detected on my Spotify account. 🤷🏻‍♀️

— NK (@NonoGerrard) May 21, 2019

Spotify just reset my password due to 'suspicious activity'. Did someone hack in to listen to Justin Bieber or something?

— P13 (@apaulothirteen) May 16, 2019

When reached, Spotify spokesperson Peter Collins said: “As part of our ongoing maintenance efforts to combat fraudulent activity on our service, we recently shared a communication with select users to reset their passwords as a precaution. As a best practice, we strongly recommend users not to use the same credentials across different services to protect themselves.”

In other words, Spotify says this is a credential stuffing attack, where hackers take lists of usernames and passwords from other breached sites and brute-force their way into other accounts.

We asked several people who received the email reset message. Some used the same password across different websites and some used passwords unique to Spotify. Two people who commented on this Hacker News thread also said their passwords were unique, casting doubt on the veracity of a credential stuffing attack.

It’s not uncommon for companies to reset user passwords if they believe they are weak or easily guessed. Companies typically don’t store user passwords in plaintext. Instead, they scramble passwords using a hashing algorithm. By scrambling lists of weak or stolen passwords using the same algorithm, companies can match weak passwords against their own databases and proactively send out password reset emails.

Netflix, Facebook, and Spotify too have all proactively reset account passwords in the aftermath of third-party data breaches by obtaining the dataset and matching exposed passwords against their databases.

Spotify did not respond to our follow-up questions.

Customers of Chipotle, DoorDash, and OkCupid have all reported account hacks in recent months. All three have denied data breaches.

Cybersecurity 101: Two-factor authentication can save you from hackers

Data & News supplied by www.cloudquote.io
Stock quotes supplied by Barchart
Quotes delayed at least 20 minutes.
By accessing this page, you agree to the following
Privacy Policy and Terms and Conditions.