Spotify Resets Passwords of Accounts Where they Detected Suspicious Activity

By Bill Toulas / May 23, 2019

Spotify is currently sending notices of detection of suspicious activity on various users of their music streaming service. The number of people that may have had their accounts compromised, or targeted in the context of stuffing attacks has not been defined by Spotify yet, and neither have they provided any in-depth clarifications about what happened. A representative of the service has told TechCrunch that the specific password resets were just part of their ongoing maintenance efforts and that they recommend users not to use the same credentials across various online services and websites.

Does this mean that the stuffing attack scenario is more likely? The statement definitely implies this, but then, there are users who claim to have been using unique 50-character powerful passwords. If these claims are truthful, then this means that Spotify suffered a breach, and the problem does not lie in the password setting practices of their users. Another unofficial source claims that Spotify’s engineers are comparing their own users’ credentials against a list of “successfully compromised” credentials on other platforms, and they are resetting any matches as a precautionary measure. Spotify admitted this practice back in 2016, but they have not clarified if this latest password resetting campaign is done in the same context.

Most of the users who report having received the brief message that says “To protect your Spotify account, we've reset your password due to detected suspicious activity.” are not free users, but instead pay for a kind of a premium subscription package. This further leans the scale towards the possibility of a Spotify breach, as stuffing attacks would potentially have a more randomized pattern. Considering that most of Spotify’s users are using the free plan, this fact would be boldly underlined by associated statistics, but it isn’t, so the situation isn’t fitting with the possibilities for a stuffing attack.

Whatever really happened, companies should always inform their users with responsibility and honesty. Right now, Spotify is helping neither themselves nor their users by not disclosing exactly why they decided to reset account passwords of some of them. Moreover, leaving us to speculate about it, even for the number of people who had their passwords reset is further worsening the image of the platform. Right now, the pieces of the puzzle add up for a breach, and if a breach didn’t happen, then why not clearly state what happened and move on? It is possible that we will never get to know the answer to that.

Have something to say on the above? Feel free to share your views with us in the comments down below, and also on our socials, on Facebook and Twitter.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: