Cyber Incident Victim: Spotify
Date:
Nov 2015
Location:
Russia
Summary
Hundreds of user accounts from a music streaming service were compromised, with over a thousand email addresses and passwords leaked publicly following an apparent breach. Affected users reported being locked out of their accounts, with some tracing the compromised credentials to an address hosted in Russia. The company denied any system intrusion, attributing the leak to reused credentials from a prior third-party incident rather than their own infrastructure. Multiple victims stated they received no proactive notification about the compromise, only learning of the issue after personally contacting support when discovering unauthorized access. The attacker's identity and motives remained unclear, with no explanatory preamble accompanying the leaked data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early November 2015, over one thousand Spotify user email addresses and passwords were leaked publicly following an apparent hack. Multiple victims confirmed the breach to Newsweek, reporting unauthorized access to their accounts between late October and early November. One user stated he was locked out of his account for three days, while another traced their compromised credentials to an email address hosted in Russia—a region historically associated with large-scale credential theft operations. The attacker publicly released the credentials without providing any motive or explanatory statement, diverging from typical "doxxing" practices where hackers often justify their actions. Spotify’s 20 million subscribers received no official blog posts or public announcements about the breach during the first eight days following the leak. Several affected users reported that Spotify did not proactively notify them of the compromise; they only discovered the issue through personal account irregularities or external reports, with one victim noting Spotify’s communications framed the incident as an isolated case rather than part of a broader attack.
Spotify denied any breach of its systems in an official statement to Newsweek, asserting that "user records are secure" and attributing the compromised credentials to "a well known past leak on another service." The company emphasized that credential reuse across multiple services created the vulnerability, urging users who suspected compromise to change passwords immediately. Spotify acknowledged conducting regular checks for credential leaks on third-party platforms to identify potentially affected accounts and advise password resets. Despite this outreach mechanism, multiple victims claimed they received no direct notifications from Spotify about the incident. The company directed concerned users to third-party verification tools like HaveIBeenPwned.com or to contact Spotify support directly. No technical details regarding the attack vector, scope beyond the leaked credentials, or identity of the threat actor were disclosed by either Spotify or investigators referenced in the report.