Thousands of Spotify users just learned the hard way why you shouldn’t reuse passwords.
Cybersecurity company VPNMentor has discovered an improperly-secured database containing email addresses, passwords, account names, and other personal information for thousands of Spotify accounts. Hackers compiled this data with help from other leaks, or via credential stuffing, rather than directly attacking Spotify itself; this mining operation nevertheless allowed them to successfully break into over 300,000 accounts.
In response to the leak, Spotify issued forced password resets to the 300,000 affected accounts back in July, but not everyone followed through. If you haven’t signed into Spotify in a while, it’s probably worth updating your password right now. So is turning on two-factor authentication and installing an encrypted password manager.
Don’t assume you’re safe if Spotify hasn’t made you reset your password yet, however: According to VPNMentor, the database is still actively used by hackers, so further attacks are possible. There are likely a lot more Spotify users who use the same email, username, and password on multiple apps or websites, and even more who use easily-accessible information as their passwords — stuff like their street address, name, birthdate, etc. Those details can also be compromised by data leaks, or with a little social engineering.
If a hacker got in, they could take over your Spotify account for themselves and siphon off your personal information for use elsewhere. This is even more problematic for Spotify users who log in using their Facebook, Google, or Apple accounts, since they store so much personal information and link up with dozens of other apps.
Take this as a canary-in-the-coal-mine situation and update your Spotify password to something stronger. It’s also important to routinely perform password checkups, and to check your accounts using HaveIBeenPwned. Many password managers include built-in password health checks as well.
Lastly, turn on two-factor authentication (2FA). I know, adding an extra login step is annoying, but it’s worth it. Even unique, hard-to-guess passwords securely stored in password managers can be compromised by data leaks, and 2FA can prevent and/or alert you of attempted account break-ins.