Spotify is currently sending notices of detection of suspicious activity on various users of their music streaming service. The number of people that may have had their accounts compromised, or targeted in the context of stuffing attacks has not been defined by Spotify yet, and neither have they provided any in-depth clarifications about what happened. A representative of the service has told TechCrunch that the specific password resets were just part of their ongoing maintenance efforts and that they recommend users not to use the same credentials across various online services and websites.
im not sure whats going on with my spotify account. apparently i have two accounts, one of them had its password reset due to "suspicious activity," and that account no longer exists?? and if i try to reset my password on my 2nd account, it says the link is invalid.
— toast on fire (@mysterytoast) May 19, 2019
Does this mean that the stuffing attack scenario is more likely? The statement definitely implies this, but then, there are users who claim to have been using unique 50-character powerful passwords. If these claims are truthful, then this means that Spotify suffered a breach, and the problem does not lie in the password setting practices of their users. Another unofficial source claims that Spotify’s engineers are comparing their own users’ credentials against a list of “successfully compromised” credentials on other platforms, and they are resetting any matches as a precautionary measure. Spotify admitted this practice back in 2016, but they have not clarified if this latest password resetting campaign is done in the same context.
Spotify: We've reset your password owing to suspicious activity on your account. Me; Dying to know whether it was the Cavalli or the Audioslave that caused them concern...
— Alexandra Coghlan (@AlexaCoghlan) May 22, 2019
Most of the users who report having received the brief message that says “To protect your Spotify account, we've reset your password due to detected suspicious activity.” are not free users, but instead pay for a kind of a premium subscription package. This further leans the scale towards the possibility of a Spotify breach, as stuffing attacks would potentially have a more randomized pattern. Considering that most of Spotify’s users are using the free plan, this fact would be boldly underlined by associated statistics, but it isn’t, so the situation isn’t fitting with the possibilities for a stuffing attack.
@spotifyindia when the hell are you guys going to add 2 factor authentication to spotify's login? It's 2019 and I'm getting mails saying my password has been reset due to 'suspicious activity'. If it had 2FA I wouldn't need to worry about this.
— Shaykh Abdul (@ShaykhAbdul) May 22, 2019
Whatever really happened, companies should always inform their users with responsibility and honesty. Right now, Spotify is helping neither themselves nor their users by not disclosing exactly why they decided to reset account passwords of some of them. Moreover, leaving us to speculate about it, even for the number of people who had their passwords reset is further worsening the image of the platform. Right now, the pieces of the puzzle add up for a breach, and if a breach didn’t happen, then why not clearly state what happened and move on? It is possible that we will never get to know the answer to that.
Have something to say on the above? Feel free to share your views with us in the comments down below, and also on our socials, on Facebook and Twitter.