Cyber Incident Victim: Spotify
Date:
Apr 2016
Location:
United States of America
Summary
Credentials for hundreds of Spotify accounts were leaked online, with users reporting unauthorized access including email changes and unfamiliar activity like added songs. The service stated it hadn't been breached and user records were secure, but affected individuals confirmed recent account takeovers leading to playlist modifications and secondary compromises of other services due to password reuse. Account recovery required customer support intervention, with some users experiencing delays in restoring access.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April 2016, a Pastebin post dated April 23 listed hundreds of Spotify account credentials, including emails, usernames, passwords, account types, subscription renewal dates, and country of origin. Users across multiple countries reported unauthorized access to their accounts, with breaches occurring days prior to the list’s publication. Compromised users discovered unfamiliar activity, such as songs added to their libraries, altered playlists, and unexpected "recently played" entries. Several victims were forcibly logged out of their accounts mid-stream, while others found their account email addresses changed to unknown addresses, preventing them from regaining access without Spotify’s intervention. TechCrunch verified the authenticity of the credentials by contacting affected users, who confirmed recent breaches contradicting Spotify’s assertion that its systems had not been compromised. The company stated it monitored Pastebin for leaked credentials, verified authenticity, and notified users to reset passwords, but victims reported no proactive communication or password resets from Spotify during the initial breach window.
Affected users faced prolonged account recovery processes, requiring direct contact with customer support to prove ownership and restore access. Some reported difficulties convincing Spotify of their legitimacy, resulting in locked accounts or delayed resolutions. The breach had cascading effects beyond Spotify, as reused credentials led to compromises of other services, including Facebook, Uber, Skype, and bank accounts. Attackers exhibited atypical behavior by actively using hijacked accounts—altering playlists, saving music, and following new content—instead of silently harvesting or reselling credentials. Spotify’s delayed response left users vulnerable for days, with some only receiving password-reset notifications after independently discovering the breach. The incident highlighted risks of credential reuse and gaps in Spotify’s breach detection and user notification protocols, though the exact source of the leaked credentials remained unconfirmed.