BreachExchange mailing list archives
Has Spotify been hacked? Firm denies breach as thousands of alleged passwords leak
From: Destry Winant <destry () riskbasedsecurity com>
Date: Wed, 24 May 2017 23:58:04 -0500
http://www.ibtimes.co.uk/has-spotify-been-hacked-firm-denies-breach-thousands-alleged-passwords-leak-1623159 On 22 May, a little-known hacking collective using the name "Leak Boat" released what they purported to be over six thousand usernames and passwords from Spotify, one of the world's most popular music streaming services. The Swedish firm has denied being breached. The Leak Boat hacking group, which is using a Twitter account with the handle @SecTeamSix, initially claimed the trove of credentials amounted to 9,000 records. However, upon inspection it included 6,410 entries. All appeared to be linked to Spotify's free subscription option. Yet not everyone was convinced Spotify had actually been compromised or "hacked." Troy Hunt, a security expert who manages breach notification service 'Have I Been Pwned' <https://haveibeenpwned.com/> said in response to initial reports the leaked credentials were likely taken from breaches of other services. When tested on the official Spotify sign-up page, a chosen sample of twenty usernames contained in the alleged leak were not available for use. IBTimes UK did not log in to any accounts. When contacted, a spokesperson for Spotify stressed that no new "hack" had taken place. The firm said in a statement: "Spotify has not experienced a security breach and our user records are secure. We do however pay attention to breaches of other services, and take steps to help our users secure their Spotify accounts when those occur. "Many people use the same login and password combination for multiple services. Therefore, we review sites for leaked user credentials which might be used to access Spotify. Having become aware of such a security breach, Spotify's security team identified that some of the leaked user credentials might correspond to Spotify accounts. "We take a proactive approach to security and have reset all of the relevant passwords and sent the customers an email asking them to create a new one." For anyone concerned their email addresses or passwords may have been leaked online, you can search Hunt's service free-of-charge. If your details – likely collated from huge breaches such as Dropbox, MySpace and Twitter – appear online it is highly advised to change them. In February 2016, hundreds of alleged Spotify Premium account details were posted online <http://www.ibtimes.co.uk/spotify-premium-hack-leaked-data-exposes-hundreds-compromised-account-details-1544845>by a PasteBin user with name 'Drakia12'. It followed a similar incident in November 2015, when over 1,000 emails and passwords <http://www.newsweek.com/hundreds-spotify-accounts-leaked-apparent-hack-last-week-392696?webSyncID=3d8ca4ea-643d-4008-83c4-b0be5bd7eeeb&sessionGUID=593b285d-1517-1367-70bc-485cba495eed> from the streaming service were released into the wild. In all prior cases, Spotify maintained its core service was not breached by hackers.
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Has Spotify been hacked? Firm denies breach as thousands of alleged passwords leak Destry Winant (May 25)