PSA: Spotify Appears to Have Been Hacked

[DooKey]

Over at Reddit there has been message posted that Spotify account emails and passwords have been posted online. I know all of us here would never use the same password for multiple accounts, but if you accidently did and have a Spotify account you might want to go change it on other sites. You can go here to see if you have a user name of email account that has been compromised on a website.

It was posted about an hour ago and I got an email from haveibeenpwned. You can type your spotify email on that site to see if your email and password showed up in that paste, or possibly others. Sure enough my own email and password show up there and now I have to change a ton of passwords on other sites and I'm very angry about it.

 

[Jim Kim]

"I have to change a ton of passwords on other sites and I'm very angry about it."​

I'm very angry that people who use the same password everywhere are allowed to post on reddit.

 

[B00nie]

"I have to change a ton of passwords on other sites and I'm very angry about it."​

I'm very angry that people who use the same password everywhere are allowed to post on reddit.

Reddit is a scum bucket, the most likely place to have such persons.

 

[Dead Parrot]

Two big security misses:
1. The Spotify account holder that was hacked IGNORED the unrequested password change email from Spotify
2. Websites that insist that email addresses are required for account names.

 

[Gweenz]

Two big security misses:
2. Websites that insist that email addresses are required for account names.

This one really bothers me, not for the security reasons, but because it confuses people. Say someone has a gmail account, then they use that account to sign up for Amazon. They don't understand those are two different accounts ("but they're the same email address!") so trying to get a password from them means you're going through the reset process, which becomes pointless because they don't know the password for the email address the recovery is sent to. I guess what I'm really tired of is people and their inability to remember any passwords, then making it my problem.

 

[katanaD]

i wonder if some people got together and paid for a billboard that was in the middle of silicon valley that read

Days since you were last hacked = 0

the number part would not need to change

 

[Spidey329]

Two big security misses:
1. The Spotify account holder that was hacked IGNORED the unrequested password change email from Spotify
2. Websites that insist that email addresses are required for account names.

Number two is why I throw a wrench into the scripts by using Gmail's automatic alias (anything after a +). Basically, [email protected]

These dumps are so big that scripts will process them into profiles for each email (so they have a pattern of passwords) before trying the combos on numerous sites. By making each "email" unique, it becomes just a tad bit less friendly.

At the very least, people should use an easy to remember salt for each site if they're going to reuse some passwords. Example: usualPa$$123 on hardocp.com becomes hausualPa$$123rd (first four of domain, 2 at front, 2 at back). That's not the one I use, btw. But it at least prevents against a bot from gaining access to other sites with it. Sure, a human could spot the pattern given only a few leaks, but these breaches are so large they have to automate it for the low hanging fruit. Added bonus of seeing whose database has been compromised.

 

[Azphira]

 

[ZeqOBpf6]

Number two is why I throw a wrench into the scripts by using Gmail's automatic alias (anything after a +). Basically, [email protected]

These dumps are so big that scripts will process them into profiles for each email (so they have a pattern of passwords) before trying the combos on numerous sites. By making each "email" unique, it becomes just a tad bit less friendly.

At the very least, people should use an easy to remember salt for each site if they're going to reuse some passwords. Example: usualPa$$123 on hardocp.com becomes hausualPa$$123rd (first four of domain, 2 at front, 2 at back). That's not the one I use, btw. But it at least prevents against a bot from gaining access to other sites with it. Sure, a human could spot the pattern given only a few leaks, but these breaches are so large they have to automate it for the low hanging fruit. Added bonus of seeing whose database has been compromised.

This is a truly clever and useful suggestion.

 

[Krazy925]

I didn’t even get the notification that my account had been hacked a month and a half ago until I was completely logged out and booted from my family premium plan.