Has Spotify been hacked? Firm denies breach as thousands of alleged passwords leak
Spotify says it has 'not experienced a security breach' and that user records are safe.
On 22 May, a little-known hacking collective using the name "Leak Boat" released what they purported to be over six thousand usernames and passwords from Spotify, one of the world's most popular music streaming services. The Swedish firm has denied being breached.
The Leak Boat hacking group, which is using a Twitter account with the handle @SecTeamSix, initially claimed the trove of credentials amounted to 9,000 records. However, upon inspection it included 6,410 entries. All appeared to be linked to Spotify's free subscription option.
Yet not everyone was convinced Spotify had actually been compromised or "hacked."
Troy Hunt, a security expert who manages breach notification service 'Have I Been Pwned' said in response to initial reports the leaked credentials were likely taken from breaches of other services.
When tested on the official Spotify sign-up page, a chosen sample of twenty usernames contained in the alleged leak were not available for use.
IBTimes UK did not log in to any accounts.
When contacted, a spokesperson for Spotify stressed that no new "hack" had taken place.
The firm said in a statement: "Spotify has not experienced a security breach and our user records are secure. We do however pay attention to breaches of other services, and take steps to help our users secure their Spotify accounts when those occur.
"Many people use the same login and password combination for multiple services. Therefore, we review sites for leaked user credentials which might be used to access Spotify. Having become aware of such a security breach, Spotify's security team identified that some of the leaked user credentials might correspond to Spotify accounts.
"We take a proactive approach to security and have reset all of the relevant passwords and sent the customers an email asking them to create a new one."
For anyone concerned their email addresses or passwords may have been leaked online, you can search Hunt's service free-of-charge. If your details – likely collated from huge breaches such as Dropbox, MySpace and Twitter – appear online it is highly advised to change them.
In February 2016, hundreds of alleged Spotify Premium account details were posted online by a PasteBin user with name 'Drakia12'. It followed a similar incident in November 2015, when over 1,000 emails and passwords from the streaming service were released into the wild.
In all prior cases, Spotify maintained its core service was not breached by hackers.
© Copyright IBTimes 2024. All rights reserved.