Several hundreds of Spotify users have apparently suffered a quite significant privacy breach as a list containing their account credentials including usernames, passwords, and email addresses has reportedly been posted on a website called Pastebin. Several of affected users claim that they were compromised a few days ago while Spotify insists that its popular streaming service was not hacked in any way. Due to that, it’s still unknown whether the listed accounts were compromised with social engineering techniques such as phishing or in some other manner.
Apart from the basic account information, the details posted on Pastebin also list the type of Spotify accounts and include users based all over the planet. Naturally, as Spotify suffered similar security breaches in the past, it’s possible this list is actually a result of one of those incidents, especially since the company was usually relatively forthcoming in regards to such issues. On the other hand, at least some of the affected users are claiming the exact opposite and have confirmed that they recently had to work with the Spotify customer service in order to recover their accounts. At the moment, the only thing that these victims apparently have in common is that they weren’t proactively contacted by Spotify in regards to the breach, so the company likely wasn’t aware of any current issues; provided they exist and the controversial list wasn’t procured at an earlier point in time. Not unexpectedly, this breach extends beyond Spotify as many users had a bad habit of reusing their passwords while registering for several other services such as Skype, Facebook, and Uber. At least one of the users listed on Pastebin has even reported a hacked bank account which is allegedly connected with this latest Spotify incident.
Earlier today, the company’s spokesperson claimed that their “user records are secure” and that Spotify is actively monitoring websites such as Pastebin in order to proactively reach potentially compromised accounts. Naturally, it’s possible that the streaming service is still in the process of verifying the leaked account credentials and is unwilling to comment on the matter until it is resolved internally. As the list was posted on Pastebin last Saturday, April 23rd, it’s to be presumed that the truth of the matter will soon be revealed.