What We Know
Spotify is faced with yet another incident of compromised accounts. The popular “Freemium” music streaming service with over 300 million subscribers has had a string of such data leaks in the past. On April 23rd, a list of hundreds of Spotify Premium credentials were put up on Pastebin. The list included account usernames, passwords, names, and dates of auto-renewal.
What were users experiencing in the days following the list posting?
Many users claimed to lose access to their accounts while streaming music and others found themselves locked out due to involuntary email changes. Some came to suspect a breach when they found unfamiliar songs in their playlists. Many victims of this breach have reported implications beyond blocked access to their music. Some of the passwords on the list were also the keys to Facebook, Uber, Skype, and even bank accounts.
The music company denies any accusations of data breach, saying the “user records are secure,” and no formal press release has been put out by the company.
What We Want to Know
- Is this a brand new list of credentials, or is it resurfacing data from the past Spotify leaks?
- Why are the attackers accessing the accounts themselves, rather than selling credentials on the dark web as is traditionally the case with compromised accounts?
- What would the damage be- both to Spotify and its customers- if PCI and PII were leaked?
- What precautions will Spotify take moving forward?
- Given all this proof of breaches and testimonies by users over the past couple of days, how and why is the company so firm in their belief that the data has not been leaked?
Finally, as users scramble to recover their lost accounts, the question becomes ‘can users keep trusting Spotify with their PII, PCI, and other sensitive information?’
How To Prevent Data Leaks Within Your Organization
Read the CloudLock CyberLab’s latest report to learn about the new Cloud Threat Funnel methodology. Make the most of your cybersecurity efforts by correlating suspicious activities and anomalous behavior to surface the ones that truly indicate cyberthreats.