Hacking group The Leak Boat released the details of up to 9,000 Spotify accounts on Monday in a Twitter announcement. The published list contains at least 6,400 usernames and passwords from across the world, with many logins still working.

The Leak Boat is previously known for its release of various celebrity photographs, as well as user info from various websites. Earlier in the day, the team announced plans to start a “Lulzpocolyse”, later referring to it as a Leakpocolypse.

Shortly afterward, it dumped the passwords of 26 Wizard 101 accounts, an online, free to play browser game. In reference to the leaks, the account said the following:

https://twitter.com/SecTeamSix_/status/866876972839747584

Those on the list are advised to change their password immediately, as well as any other accounts that use those credentials. The details will quickly be passed around and tried with various other sites, so pay particular attention to those with the same username or email.

Spotify Compromise, or Brute-force Attack?

Though the first assumption may be to assume a fault with Spotify, that may not be the case. Attackers often try a brute-force attack, using an automated system to try thousands of different passphrases.

When combined with known usernames, this can be a very effective method when people have an insecure password. Looking at the list, many of them are short, easily guessable, and have minimal numbers. Now is a good time to review password practices for various accounts.

The Leak Boat has promised more to come, including the nude images of ten more celebrities. Confirmed to be among them is Kristanna Loken, star of Terminator 3. The account will allegedly reveal more at 600 followers.

You can check if your Spotify account is compromised here.