Are you a Spotify user? If so, you’ve got plenty of company. It’s one of the shining success stories on the web, and has grown to become one of the most popular music streaming services available.
Unfortunately, that also makes it a target, and recently, researchers at VPN Mentor discovered a database of more than 300,000 Spotify user names and passwords available for free on the Dark Web.
No information is available about how the database was collected, but since it’s freely available, hackers of all stripes have been making regular use of it to try and force their way into user accounts. Sadly, it appears that a significant percentage of the records on the database contain working passwords.
There has been a low-level hum of complaints from Spotify’s massive user base about accounts being hacked. Playlists being deleted, new playlists appearing out of nowhere, and the like, but there’s never been any discernable pattern to these complaints. The recent discovery of the database on the Dark Web provides the missing puzzle piece and adds context to those complaints.
Somehow, even though the company has reported no recent breaches, a large number of user records wound up on the Dark Web, and are actively being used by hackers around the world to cause mischief.
VPN Mentor immediately notified Spotify about their discovery and the company took prompt action, forcing a password reset on any account found on the database, so if you recently logged in and found that you were forced to change your password, now you know the reason why.
It was a good move, and a safe move, but there’s more to this story.
For more than a year now, Spotify’s users have been clamoring for two-factor authentication, and to date, the company has not seen fit to offer it. If it had been available, this never would have been an issue to begin with.
Given Spotify’s track record of innovation and general responsiveness to their user base, the lack of 2FA stands out as a glaring black mark on what is otherwise an outstanding record. Here’s hoping the company remedies that soon. In the meanwhile, if it’s been a while since you logged onto your account, and you’re asked to change your password, the database on the Dark Web is almost certainly the reason why.