Spotify Compromised Account Security
Three; no matter how many times i change my password on spotify to newly generated passwords, somone magically logs in and adds a bunch of shitty playlists and plays them nonstop for 30 seconds each song, we both know what's happening here. Session hijacking followed by a bot farming ad revenue.
Spotify compromised account security
**bleep** is practically a cottage industry, im not going to link to resources that provide illegal tools to illegally use backdoors in spotify's API to perform these feats, but seriously. get**bleep** together, i've been paying for premium for almost a decade now and i think im about fed up. the worst part? i cant fix the damage done to my recommended music after each breach, deleting the play history does nothing. also i cant even post this post because im getting "flood detected" on my very first post.
Oh and its 2021 and even though im a premium user i STILL CANT HIDE SHITTY MUISC THAT MY ACCOUNT IS NOW PERMANENTLY RUINED BY YOUR OWN SECURITY BREACH. im going to have to make a new account and import my playlists because i literally cannot change my recommended music anymore, it's permanently filth and theres literally NO OPTION on PC to hide songs, dislike songs, block artists, or anything.
i don't really use my phone much at all, and i only ever use spotify on my PC anyway, i very much doubt my brick of a phone could run spotify, as i've looked into it using my phone to "dictate" which artists is only device specific, so considering i use the desktop app primarily it would serve no purpose.
as others have pointed out and as many many journalists have started to write articles and catch on, this issue is not really mitigatable or avoidable on the customer and consumer end, with out more information being given to us in our account panel (let me see my sessions and whitelist or blacklist given IP addresses (even a vpn using attacker would show up with a lot of easily loggable and tracable IP's to provide metrics for) a one size fits all "disconnect all sessions" button is absolutely useless if the attackers are using a backdoor.
Maybe 2fa isn't perfect, but its a **bleep** of a lot better than over 5 years of spotify play history and carefully curated algorithim whispering going up in smoke for a single 8 hour period while i was sleeping having my account completley destroyed.
theres a lot of information in this video about exactly how this happens and why - i know you're trying to help and you're not affiliated with spotify in any way, but this issue seriously needs more visiblity, the fact that there are hundreds of thousands of compromised PREMIUM accounts on tap for anyone to buy for a few cents speaks volumes about how widespread this issue is. the fact that buying a 15 cent premium account pays for itself within a day of running a bot on it is disgusting, the whole system is absolutely horrible and incentivizes this behavior.
It sounds like you've already followed the steps here. In this case, creating a new account is a good idea. You can follow the steps in this guide to transfer your music collection over to the new account so you don't miss anything.
Last November, over 1,000 email addresses and passwords used in the music-streaming app were also leaked. And just like this incident, victims of the attack claim that Spotify did not inform them about the hack. In both cases, the identity of the hacker and the details of how the breach took place are still unknown. Those who have reason to believe that their Spotify accounts were hacked are advised to email Spotify directly. Spotify has been actively working hand-in-hand with users in verifying which accounts were hacked and which accounts have not been compromised.
Check your email and create a password (a strong, unique one!). After that, go to Facebook settings, and navigate to the Apps and Websites section. Select the checkmark next to Spotify and click "Remove" at the top. Facebook warns that revoking Facebook permission from Spotify may delete your Spotify account, but it didn't (at least for me). Select "Remove" again.
Cybercriminals carrying out credential-stuffing take advantage of people who reuse the same passwords across multiple online accounts. Attackers simply build automated scripts that systematically try stolen IDs and passwords (either gleaned from a breach of another company or website, or purchased online) against various types of accounts.
In the first Spotify incident in November, researchers found a misconfigured and open Elasticsearch cloud database containing more than 380 million individual records, including login credentials and countries of residence for various people, all being actively being validated against Spotify accounts. The database was owned by a malicious third party, researchers said at the time.
Compromised accounts could contain credit-card information, loyalty points that could be stolen or used, or physical shipping addresses. And, accounts can also contain information like birthdays, preferences (those Spotify playlists, for example) and other data that is ripe for abuse when it comes to developing social-engineering tricks for phishing attacks.
For those of us old enough to remember, a carefully curated physical or digital music collection was once a thing of pride and joy. Today, music streaming services like Spotify have taken over the duty of cherry-picking recommendations and giving you a non-stop stream of music tuned specifically to your taste. Now imagine if someone had the power to wreak havoc on that carefully tuned stream of music, or worse, lock you out of your account. Unfortunately, there has been a noticeable uptick in Spotify Premium accounts being hacked and accessed without permission. How do you secure your Spotify account against these hacks?
To protect your Spotify account from possibly being hacked, use a unique password in tandem with a password manager app. Regularly changing your Spotify password is also a sound strategy to keep your account protected. Spotify still hasn't rolled out two-factor authentication support, making it hard to protect your account.
While Spotify has not acknowledged a broader issue, looking at user reports from Premium-tier subscribers paints a dire picture. User accounts are being used to listen to music for free while still leaving you access, while other users are locked out of their account with their bank details still linked to the service. The hacker can then continue to use the account for free, leaving you with no easy means of taking back your account.
Things can, of course, take a far more serious turn as well. There are more than a few instances of account email addresses and passwords being switched out. Once that is done, you are essentially locked out of your account. This also leaves you without the ability to remove your bank account details.
Everyone should also be using a good password manager and locker. Combined with a strong and unique password, a good password locker can drastically reduce the chances of your account getting hacked. LastPass, for example, is a great option for generating unique passwords for every website and storing them safely. The app is cross-platform and lets you access your passwords on the go via the mobile app.
A recent study by Microsoft claims that multi-factor authentication can prevent over 99.9% of account hacking attempts. By requiring an additional authentication component, be it a one-time password received via SMS, a secure authenticator like Authy, or even a physical authentication key, the chances of your account getting breached reduce drastically.
All you have to do is head over to the official website and click on your account. Click on apps, and you will be presented with a list of websites and applications that have access to your Spotify credentials. You can revoke permissions for any app that you are no longer using. Similarly, changing the password is very simple. Over at the website, click on your account details to set a fresh password.
People get the list of emails and password exposed by hacks and try it on all kinds of different popular services. And to my surprise, they publish it on Darkweb forums so people can use premium services for a while before the owner of the accounts realised they were compromised. This is commonly referred to as "paste". Here is the paste identified a few days after I realised my Spotify account was compromised.
Your primary email account is critical to your online identity. It is most commonly the place you will register your other accounts, and where you will be sent recovery questions, password reset links and 2 Factor authentication messages. Make sure this email has a complex and unique password; this is your most important account as most of the other services rely on it. Do not use the same password anywhere.
Password managers will generate and store passwords for you. They are plugin to browsers and can be installed on mobile phones. It can autocomplete login requests for you when you visit those sites. But remember, it also requires a strong master password, and it must not be the same as your email account and must be unique to avoid further problems.
Another victim says he tracked his compromised email to an address hosted in Russia. Russia has been a hacker haven for those who collect personal records in the past decade. One Russian hacker ring reportedly amassed over 1.2 billion username and password records last year, according to The New York Times .