Article Lead Image

Illustration by Max Fleishman

Was Spotify hacked? Users say yes, but Spotify says no

You should probably change your password, just in case.


Mike Wehner


A new report claims that popular streaming app Spotify has become the latest victim of tricky hackers, but is it true? If so, it’s absolutely the most low-scale, relaxed breach in the history of the Internet.

Companies large and small are hacked every day, but when a massive leak happens it’s always big news.  

The supposed hack, first reported by TechCrunch, came to light thanks to a Pastebin file with Spotify customer account credentials. TechCrunch says it contacted some of the users on the list and discovered that many of them had received emails from Spotify about account changes they didn’t make themselves, including changed email addresses and passwords. 

However, in an official statement by Spotify the company claims it has not been hacked whatsoever:

Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords.

Additionally, TechCrunch notes the Pastebin list with the user credentials contains “hundreds” of accounts, and while that might sound like a lot, it’s virtually nothing compared to Spotify’s 30-plus million users. In fact, assuming a total of at least 500 accounts, it’s less than 0.002 percent of Spotify’s customers. 

Most of the users who claim to have been hacked say that the only actual “damage” done was some deleted playlists and songs being added to their queue that they didn’t put there. If these are hackers, they are officially the most chill criminals we’ve heard of. 

But if Spotify itself wasn’t compromised, then how did the customers end up on a shady text document? It’s hard to say, but there are a couple of possibilities: Spotify provides a number of APIs and SDKs for developers who wish to integrate the service into their apps or websites, linking accounts and making one-click sign-ins possible. 

In the past, some apps—especially on Android—have been known to carry malware that can skim info and send it off to potentially dangerous third parties. It’s not a stretch to think that the same could be done on a website or app with Spotify integration. 

Considering the relatively tiny number of accounts potentially affected, it certainly doesn’t seem to be a widespread attack by any means, if it could even be labeled an “attack” at all. Still, if you haven’t swapped your Spotify password in a while, now would probably be a good time, if only to be absolutely sure. 

H/T TechCrunch

The Daily Dot