Feel Like Someone Hacked Your Spotify Account? — You’re Not Alone

Is your Spotify account hacked, playing music in another language or on other devices? You’re not alone.

Since 2017, reports of Spotify accounts being hacked have risen. The phrase ‘Spotify hack’ makes readers think Spotify is part of some data breach, similar to Equifax. The reality is that these accounts holders have either shared their account info with other users willingly – or re-used their passwords carelessly and found their accounts compromised as a result.

Here’s how users typically end up with a ‘hacked’ Spotify account.

“Oh wow, Spotify is offering a three-month free trial,” you notice, scrolling through your Facebook feed. You click through the ad and sign-up using your Facebook account, re-using a familiar password. Six months from now, you notice smooth jazz playing in the evenings when you prefer sad trap mixes. Wtf?

You quickly check your Spotify account device history. Lo and behold – some ‘hacker’ is now listening to Miles Davis on his Amazon Echo. “I don’t even own an Amazon Echo,” you think. Someone hacked my Spotify account becomes the logical conclusion for many.

Let me stop you right there, though. The reality is that a re-used password got leaked on a site like Pastebin. People are constantly monitoring these sites for email/password combination dumps in plaintext. Spotify knows that – they’ve periodically reset passwords citing ‘suspicious activity.’

This Spotify dump matches emails with leaked passwords and shows their Spotify account level.

To get technical, this is called a credential stuffing attack. It takes a known email and password combination and tries it on popular services to check for password re-use.

This is the number one reason why you should never re-use your passwords. Several large sites like LinkedIn, Adobe, and Yahoo have suffered significant data breaches. Re-using the same password for Spotify leaves users vulnerable to credential stuffers. These credential leaks are incredibly common and are effective because password re-use is so prevalent.

Since 2019, the website Have I Been Pwned has monitored over 20 pastes that include Spotify user data. Pastebin removes these pretty quickly, but Spotify hackers have tools that run through these pastes at the speed of light.

Snagging a successful email/password paste can net hundreds of live premium accounts. These accounts are then sold on dark web forums for as little as $0.21 per account.

Spotify deserves some of the blame for this – the service does not support two-factor authentication. Two-factor authentication (2FA) would prevent someone from connecting to a Spotify account without explicit permission from the owner. Until Spotify offers 2FA, it is up to users to protect themselves.

How to Secure Spotify Account After a Breach

If you’ve experienced weird music showing up on your device, you may have a breach. Here’s how you can protect yourself and remove the ‘hacker’ from accessing your Spotify account.

Change your Spotify password to something unique. (Use a password manager, every single site needs a unique password to prevent credential stuffing attacks.) Open your Spotify account page and choose ‘logout everywhere.’ (Note: Spotify says this will not affect partner devices like Sonos or PlayStation. You’ll need to follow those device manufacturer’s instructions to logout.) Login to Spotify with your new password AND NEVER USE IT ANYWHERE ELSE.

Hacked Spotify Accounts Hurt The Music Industry

The algorithm-driven future of the music industry is ripe for exploitation. Rapper French Montana was recently busted buying fake Spotify streams to promote one of his songs. Spotify botters may buy up those cheap Spotify premium email and password combos sold on the dark web. Those accounts’ listening habits seem organic since they are still active and contain the original owner’s preferences.

That makes these paid streams are harder to spot for Spotify vs. new account play spam. French Montana’s exploit fell through because he only bought streams on Spotify, making the deception easy to spot. But such deception and algorithm gaming is exactly why people like Neil Young hate music streaming in the first place.