The latest Spotify leak might be the strangest one yet. Hundreds of accounts have been splashed on Pastebin. These accounts have already been accessed, with many having had their emails changed. But not only do we not know who is behind the leak, Spotify is adamant it hasn’t been hacked. So, what’s really going on?
To find out, I arranged a chat with Kevin Shahbazi, security expert and CEO of password management firm LogMeOnce. Kevin has built himself a name in the security industry. He has launched several different infosec companies, of which one — Trust Digital, who specialize in enterprise-level smartphone security — was acquired by McAfee in 2010.
Kevin’s expertise in the security field is undeniable, and I wanted to find out what he made of this latest data breach. Over a flurry of emails sent on a Tuesday evening, I grilled him on who might be behind the leaking, what was so wrong with Spotify’s response, and what affected users can do to protect themselves.
The Anatomy of the Leak
When the Ashley Madison debacle popped like an overripe cantaloupe , it exposed the sordid secrets of millions onto the Dark web. The data dump, which measured in the gigabytes, listed everything from the biographical information of the site’s registrants, to even their niche sexual preferences. How does the Spotify leak compare?
“As far as how much data has been leaked, there has only been mention that an unspecified ‘hundreds’ of accounts have been compromised. Account information like payment details and credit card information were not included in the leak, but emails, usernames, passwords, account type and additional account details were.” — Kevin Shahbazi
There’s still no information on who was behind the attack, although it was published by a user by the name of ‘Drakia12‘ on Pastebin. Kevin is open to the possibility that the dump itself might not be all that new, and instead came from accounts that had already been leaked onto the Dark Web , and are now entering a wider circulation. Logins for Spotify, and other streaming sites like Netflix, are available to purchase on the murkier parts of the Internet, and according to a McAfee Labs report, these logins are continually circulated by cyber criminals once they’ve been compromised”.
Kevin also hinted that a “brute force” attack might be behind the leak, saying, “Another possible source [of the leak] is a program used to ‘comb’ through passwords, or merely attempt multiple different password combinations until it finds the correct one”.
This seems unlikely, since most services now limit the amount of failed login attempts a user can make. However, it’s not impossible. In 2009, the Twitter accounts of Rick Sanchez, Bill O’Reilly, and Britney Spears were compromised by hackers, and offensive messages were posted.
This attack was only possible because, at the time, Twitter did not limit login attempts, and one administrator had a weak dictionary password (it was “happiness”).
I wanted to know how this leak compared to other high-profile leaks, such as the Ashley Madison, PlayStation Network, and Mate1 leaks. Kevin said that unlike other other notable leaks, Spotify isn’t “owning” it. They’re not taking responsibility. Nor, he added, are they “being proactive in protecting their customer’s information”. Shahbazi also worries that the leakage might be the overture of something much bigger.
“By publishing a small sample of data alleged hackers might have simply wanted to put Spotify into a defensive position. Then after a short while, after they have milked the account, they will likely publish the rest of the data dump. If that is their goal, then more embarrassment is to come, and executives could end up losing their positions at Spotify.” — Kevin Shahbazi
Perhaps what is most puzzling about the Spotify hack is that it’s such an unlikely target. To a cyber-criminal, the allure of a compromised PayPal or online banking account is undeniable. But Spotify isn’t a financial institution. It’s a music website. I asked Kevin why a hacker might target it.
“The value in attacking Spotify, or other similar services, varies from hacker to hacker. In this case, transparency seems to be the most likely motive behind the recent leak, to show the public that their information isn’t necessarily secure with the platform, and ultimately, causing embarrassment to the brand.” — Kevin Shahbazi
Many people choose to link their Facebook accounts with Spotify. This simplifies logging in, and also adds a social dimension to the service. Users are able to share their favorite tracks with their friends, and get recommendations.
Could this lead to further pain for affected users? Potentially, Kevin said. Especially if the user is using a duplicate password.
“Duplicate passwords (or reusing a single password across different services) could be a potential issue. Since anyone can now access hundreds of Spotify logins, this gives them the key to any other accounts and services that use the leaked password).” — Kevin Shahbazi
Given Spotify’s high profile, it was inevitable that the company would eventually experience some kind of security issue. But in this case, it has been surprisingly nonchalant about everything.
“While [in the past] they have been proactive in resetting user passwords for accounts that appear to be hacked, and have said they often scan sites like Pastebin for Spotify credentials, they haven’t done so with the most recent alleged hack, despite hundreds of Spotify credentials appearing online.” — Kevin Shahbazi
Affected customers have had to actively reach out to Spotify to regain access to their accounts. According to postings on Twitter, and various articles in the technology press, this hasn’t been an easy task. Sadly, this isn’t an isolated event for Spotify.
“Spotify has denied the existence similar alleged hacks that purportedly took place in November 2015 and again this past February. Overall, Spotify’s public statements contradict the experiences of their customers.” — Kevin Shahbazi
Kevin isn’t sure why Spotify has been so vehemently opaque about the existence (or otherwise) of a hack, or whether it was the victim of user error. However, he worries that “their lack of transparency is only hurting their brand, reputation, and most of all, their customers”.
What Can Affected Users Do?
Literally hundreds of users have been affected by the leakage. There’s a very real possibility that more accounts have been compromised, but just haven’t been leaked yet. I asked Kevin what measures Spotify users should take to protect themselves.
“Whether hacked or not, all Spotify users should be cognizant of their accounts. For those whose information has been compromised they should immediately change their login information for any accounts that utilized the same password, as well as monitor any financial accounts that may be linked to Spotify. They need to also contact Spotify to let them know of the issue with their account as well as to reset it.” — Kevin Shahbazi
Kevin added that those who were fortunate enough to not be included in the data dump should also take precautions. He recommends that all users reset their passwords, and on all devices where Spotify is installed, users sign out, and then log back in. He also stressed the dangers of relying upon duplicate passwords.
“This is yet another case in which duplicate passwords come back to harm those looking for ease of access to multiple accounts. While it may just seem like Spotify’s login information was hacked and all other accounts are safe, if a duplicate password was used, it could be used to successfully login to other accounts utilizing that information, creating a domino effect.” — Kevin Shahbazi
Prevention Is Better Than the Cure
It’s impossible for consumers to prevent their data from being leaked by a service they use, since it’s not in their hands. The service has to have good security practices, and good password hygiene. But what can consumers do to limit their exposure to future leakages? Kevin re-emphasized that users should avoid duplicate passwords, and where possible use two-factor authentication.
“Another way that readers can ensure their password security is strong is by utilizing two-factor authentication (2FA) , where in addition to a password, users are required to provide another piece of information, like a finger print, PIN, or security question, that only they would be able to provide.” — Kevin Shahbazi
Unsurprisingly, Kevin recommends the use of a password manager, in order to securely store complex passwords. He said “a password manager is a simple way to prevent hackers from wreaking havoc on your life. These encrypt passwords in a secure ‘vault’, which the user can access through one master password.” He added that these make it easier to use secure, complex passwords.
“There are many free, reliable password managers. Make sure you’re using a reputable one. Many of them do more than just simply store your password, so look for ones that use “injection” to insert passwords in the correct fields, rather than simply copying and pasting from the clipboard. This helps you to avoid being attacked via keyloggers.” — Kevin Shahbazi
Kevin, perhaps rightly, is perturbed by the mild response by Spotify to hundreds of their user accounts being sprayed on Pastebin. Whether this leak is a one-off or if it’s indicative of something bigger to come remains to be seen.
We tried to get in touch with Spotify for comment on this story, but were unable to do so. If we hear back from the company, we’ll update this article with its response.