Breaking: Spotify User Account Information Exposed Again, Account Takeovers Underway

April 26, 2016

Recently hundreds of users of the music-streaming service Spotify have had their usernames, passwords and other account details posted on the online text repository The presence of the list on Pastebin, first reported by Techcrunch, could indicate Spotify has been breached. It could also be a remnant of a similar episode last November that saw information from more than 1,000 of the music-streaming service’s accounts posted publicly.

For its part, Spotify insisted in a statement emailed to Techcrunch that it “has not been hacked” and its “user records are secure.” The company said it regularly monitors Pastebin and other sites where hackers post stolen information and notifies users when Spotify credentials are found and verified. When contacted by Techcrunch, several users reported Spotify had informed them the emails associated with the accounts had been changed and others said playlists had been deleted or unfamiliar music had been saved to their device.

Whether the company has been hacked or the credentials posted on Pastebin were obtained in some other way, unauthorized individuals have control of potentially hundreds of Spotify accounts. This is only the most recent example of account takeover fraud—a type of fraud occurring with much more frequency over the past 12-to-18 months (including well-publicized episodes at Starbucks and Neiman Marcus ). And, while the result of the takeovers so far at Spotify have been more nuisance than anything else, fraudsters increasingly are targeting the accounts of retailers, gaming sites, travel sites and more where they can drain stored value or use the legitimate credit card attached to the account to make purchases they send to different addresses.

The problem is becoming so pervasive a special panel discussion at the CNP Expo will be devoted entirely to account takeover fraud.