My Spotify has just been hacked

Thesnipergecko

Thesnipergecko

Thesnipergecko

Soldato
Joined
17 Oct 2002
Posts
7,439
Location
Stoke-on-Trent
Just had an email saying my email has been changed and my password too.

I've checked and the details have indeed been changed. I'm still logged in to the website in Chrome but the desktop App asked me to sign in, which I'm unable to.

I've emailed support straight away. It's linked to my PayPal account. Is it worth cutting the tie?
 
Excuse my naivety but what will the hacker have gained from hacking a Spotify account?
 
Thesnipergecko said:
It's a Premium account. I'd love to know how they gained access to it. All the details for that account are unique.
Click to expand...

Signing in from a device you don't own?
Anyone else have access to devices you sign in on?
Using public wifi?

If changing details requires email confirmation that's even worse. If it doesn't then maybe all they fished up were your login details.
 
My Spotify was hacked last year - the first I knew about it was when I received an email saying I could extend the service to other users. They'd upgraded the account to a family one.

Several emails had already been registered to the account. I raised the incident with Spotify, giving them the details of all the additional users assuming that they may have had have some link to the person who hacked the account. Spotify's reaction was not to investigate, nor reply, but simply to refund the last (higher) payment and cancel the subscription. I stopped using them after that - terrible service.
 
This is becoming pretty common with paid for on demand services. You can buy a spotify login for about £2 on certain underground marketplaces that comes with a one year garauntee - basically they supply you with hacked logins for a year. I had the same thing happen to my Netflix account, taken over, plan upgraded to the most expensive one, all details changed, and suddenly half of Mexico was using my account.
 
That's a bit concerning. I have a friends and family Spotify account with a fairly strong password (at my end at least). Are there any other steps I can take to make it more secure? 3 of us share this account. I don't think there is 2-step login is there? I have up-to-date antivirus etc and I don't use Internet Explorer.
 
I've digged a little deeper into this myself.

My 13 character password that was unique to that account, consists of letters, numbers, symbols and uppercase letters. I did a simple google search for the MD5 hash of that password and found a German website absolutely loaded with MD5 hashes and their decrypted values. I could see my password plain as day in the list in plain text format.

The possibility of someone guessing my password is very slim. I only use it at home, on my phone, TV, PS4 and on my Echo.

I can only assume Spotify has been compromised again and someone has dumped the database hashes online and they've been decrypted.

I spoke to someone on Twitter support last night via DM, they have passed it on to their "Accounts" team.

My browser session is still active so I can see all my account details, I just can't change any of them.
 
That's not good news! I share my sisters account and we split the cost so will find out if she's had anything come through as well.
 
Does Spotify not offer two step authentication then? That's pretty lame. I should check mine!
 
Rids said:
This is becoming pretty common with paid for on demand services. You can buy a spotify login for about £2 on certain underground marketplaces that comes with a one year garauntee - basically they supply you with hacked logins for a year. I had the same thing happen to my Netflix account, taken over, plan upgraded to the most expensive one, all details changed, and suddenly half of Mexico was using my account.
Click to expand...

yes this, its happening all the time now, all online services can purchased on the black market, netflix for example dont seem to care and tell you to close you account and start a new one, odd way to handle security.
 
Thesnipergecko said:
I've digged a little deeper into this myself.

My 13 character password that was unique to that account, consists of letters, numbers, symbols and uppercase letters. I did a simple google search for the MD5 hash of that password and found a German website absolutely loaded with MD5 hashes and their decrypted values. I could see my password plain as day in the list in plain text format.

The possibility of someone guessing my password is very slim. I only use it at home, on my phone, TV, PS4 and on my Echo.

I can only assume Spotify has been compromised again and someone has dumped the database hashes online and they've been decrypted.

I spoke to someone on Twitter support last night via DM, they have passed it on to their "Accounts" team.

My browser session is still active so I can see all my account details, I just can't change any of them.
Click to expand...

There's a good website i came across that tracks dumped caches of password/email databases etc. Think it's called something like "have i been owned". Always handy to keep an eye out and make sure that no accounts have been compromised.
 
Semple said:
There's a good website i came across that tracks dumped caches of password/email databases etc. Think it's called something like "have i been owned". Always handy to keep an eye out and make sure that no accounts have been compromised.
Click to expand...

Sounds like you're thinking of LeakedSource which has subsequently disappeared. Shame as it was really useful.
 
Semple said:
There's a good website i came across that tracks dumped caches of password/email databases etc. Think it's called something like "have i been owned". Always handy to keep an eye out and make sure that no accounts have been compromised.
Click to expand...

Sounds like a good way to harvest real passwords.
 
You must log in or register to reply here.
Back
Top Bottom