My Spotify has just been hacked

[B@Th*nG]

Sounds like a good way to harvest real passwords.

you don't type in your password, just the related email account

B@

 

[Thesnipergecko]

Well I've had an email from their Accounts team anyway.

Asking for my earliest Spotify receipt.

 

[Hotwired]

you don't type in your password, just the related email account

B@

People buy real and active email addresses too.

I used G2A to buy a game time code, month and a bit later I'm getting phishing mails referring to a g2a purchase.

Can't trust anyone with your details.

Spoiler

Real subtle G2A

 

[holymonk]

Had my spotify hacked recently too, someone was creating spanish playlists. Emailed spotify team and they were quick to resolve.

 

[Dan Dan]

Account generator, if you look around there are lists of thousands of untested accounts that people just give away.

 

[Puzzled]

Sounds like a good way to harvest real passwords.

Don't say that, just checked my account emails

Found a couple of old accounts I'd forgotten about that had been breached, probably time to do a password refresh on a few things.

 

[Jamesyboyjim]

Had my Netflix account hacked previously, was able to recover the account though. Had many emails advising an attempted Spotify login or password reset request. I've seen accounts for pretty much everything for sale so I assume its good business to take over as many accounts as possible.

 

[Thesnipergecko]

All done and dusted, after receiving my proof of Premium purchase from 2011 they have verified the account is mine and given me access back to it. They removed all payment details from the account too.

 

[azibux1]

I can only assume Spotify has been compromised again and someone has dumped the database hashes online and they've been decrypted.

I may have misunderstood your post, but I thought something like an MD5 hash is one way and not reversible?

 

[Mynight]

I may have misunderstood your post, but I thought something like an MD5 hash is one way and not reversible?

Afaik it is one way. Only way to "decrypt" is to bruteforce guesses at the password.

 

[azibux1]

Afaik it is one way. Only way to "decrypt" is to bruteforce guesses at the password.

Oddly I just tried a couple of reverse hash lookups online (SHA-1 and MD5) and they did in fact manage to get back to the original value I hashed..

Odd and surprising

Need to do some more research into this...

 

[Mynight]

Oddly I just tried a couple of reverse hash lookups online (SHA-1 and MD5) and they did in fact manage to get back to the original value I hashed..

Odd and surprising

Need to do some more research into this...

If it's a common password or simple word it will be easily looked up against a table. I just tried "BLahdeblah" on the top 3 sites in google and none of them returned anything.

I guess this would be where salting comes into play as well.

 

[azibux1]

If it's a common password or simple word it will be easily looked up against a table. I just tried "BLahdeblah" on the top 3 sites in google and none of them returned anything.

I guess this would be where salting comes into play as well.

Yeah I just read about salting

All quite interesting stuff

 

[Amp34]

On a slightly related note I had "my" Paypal account compromised last week. It's a new account I was forced to set up to purchase something with at the beginning of march, within a week someone tried to pay for a night in a Travel Lodge in London (I didn't think to remove credit card details after the purchase). Paypal were quick to refund the money and I've now shut the account down.

Impressive they managed to compromise it that quickly! And yet another reason not to have a Paypal account.

 

[Energize]

I may have misunderstood your post, but I thought something like an MD5 hash is one way and not reversible?

MD5 is obsolete with many flaws in it which causes it to be insecure. For all hashing algorithms you can just hash every possible password combination to create a rainbow table which shows the password for any given hash. Pretty much any password less than 15 characters long will be in a rainbow table online.

 

[azibux1]

MD5 is obsolete with many flaws in it which causes it to be insecure. For all hashing algorithms you can just hash every possible password combination to create a rainbow table which shows the password for any given hash. Pretty much any password less than 15 characters long will be in a rainbow table online.

Thanks for explaining

Is this also the case for passwords that are somewhat random with special characters etc in?

 

[Thesnipergecko]

Thanks for explaining

Is this also the case for passwords that are somewhat random with special characters etc in?

Yes. Mine was all of that, fell short at 13 characters.

Now I have to remember a new 21 character password.

 

[joeyjojo]

My 13 character password that was unique to that account, consists of letters, numbers, symbols and uppercase letters. I did a simple google search for the MD5 hash of that password and found a German website absolutely loaded with MD5 hashes and their decrypted values. I could see my password plain as day in the list in plain text format..

If they're not salting their passwords then they got what they deserved (unfortunately for you and many others). Rookie mistake.

 

[Dan Dan]

Yes. Mine was all of that, fell short at 13 characters.

Now I have to remember a new 21 character password.

To remember it easily you could use the lyrics of a song (first letter of each word of the chorus for example), less likely to forget it then.

 

[leaskovski]

Nope, and if my suspicion is correct they should probably dump MD5 hashing and move on to something more secure.

lol... MD5 hash.... oh wow. I would have expected something better from such a larger well known provider.