Spotify account details appear on Pastebin despite music service's claims it has not been hacked
Music service Spotify has once again come under fire as hundreds of account details from users all over the world have been leaked onto the text-storing website Pastebin, including everything from usernames and passwords to email addresses and other details like the account type.
Tech news site TechCrunch discovered the details on Pastebin and contacted a random sample of the victims to ask if they were aware that their Spotify accounts had been breached, and at least six users responded that they were aware of the breach.
Some users said they discovered something was wrong because they had been kicked out of their accounts while streaming music, and when they tried to log back into their accounts, they discovered that the email they used to register the account with had been changed without their knowledge.
Other users said they saw unexpected activity in their accounts: "I suspected my account had been hacked last week as I saw 'recently played' songs that I'd never listened to, so I changed my password and logged out of all devices."
Spotify still denying any data breach
Nevertheless, Spotify has completely denied that it has been hacked and is insisting that its user records are secure.
"Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords," a Spotify spokesperson said.
This statement is identical to the response IBTimes UK received from Spotify when we discovered that hundreds of Spotify Premium account details had been compromised and leaked online by an unknown hacker in February.
Pastebin was originally designed to be used by software developers to store bits of code in plaintext that could be easily shared, but today it is used as a public repository where hackers choose to expose stolen information and publicise political agendas behind cyberattacks.
IBTimes UK searched Pastebin to try to locate the account details seen by TechCrunch, but the entry seems to have been pulled down by Pastebin staff, perhaps at the request of Spotify. However, we did find several entries detailing Spotify free and premium account details from November 2015 as well as January, February, March and April 2016 that were still visible to the general public, although a random sampling revealed that the login details no longer work.
However, not all hackers are content to just expose online service account details for free. In November 2015, Business Insider reported that it is possible to buy a lifetime subscription to Spotify for just $1.95 on the Dark Web, as well as hacked subscriptions to other popular streaming content services including Netflix and HBO.
"It's extremely hard to be 100% certain they have not been breached, unless they have actual evidence of the breach while it's happening or clear logs indicating the breach, all they can do is study the 'leaked' information and verify its authenticity," said Mark James, Security Specialist at ESET.
"It should be relatively easy to verify, the information should be quite unique for that industry and it would be clear soon enough if it is legitimate. There are many ways data can leak, malware centric or even employee leaked, it's quite possible that this is old data that has resurfaced."
© Copyright IBTimes 2024. All rights reserved.