Spotify is used by millions of people across the globe. If you’re one of them, you may want to change your password—TechCrunch first reported Tuesday that the streaming music service suffered a security breach, its second security incident in less than six months. A list containing hundreds of Spotify account credentials, including emails, usernames, passwords and other account details, appeared on the website Pastebin on April 23.
Spotify provided a statement in response to the news, denying the allegations that the company had been hacked: “Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords.”
But TechCrunch heard from a number of people that discovered suspicious activity in their accounts. Playlists had been deleted, unknown songs had been listened to, and one user even got locked out from his account while he was in the middle of streaming a song.
If the company did not in fact experience a compromise, how can we explain this activity? While companies do have a responsibility to maintain users’ security, consumers are just as much responsible for the security of their online accounts. Many attacks come down to one thing: poor password practices. Consumers often reuse the same email and password combination across multiple sites. While easy-to-remember, it puts them at risk. Fraudsters may steal data from one site and find the same credentials work on other sites. This is likely what happened in Spotify’s case.
And, Spotify isn’t the first company to get called out in the media for lost credentials due to user’s poor password habits. Both Uber and PayPal have had account information compromised in the past few months.
Some advice for businesses and consumers:
- Businesses: Educate employees on password policies. Ensure employees are not reusing passwords, and require regular password updates.
- Consumers: Do the same! Create long, strong and unique passwords, and update them frequently. Again, do not reuse passwords across multiple accounts, and use two-factor authentication, if possible.
- Businesses: Monitor employee and customer credentials to proactively watch for data compromise and help mitigate the risk associated with data breach.
- Consumers: Keep your personal data safe. Enlist in an identity monitoring service to watch over things like email address, SSN and more. These types of services can alert consumers to potential compromises of their personal information on the dark web.