If you’re among the 140 million users who enjoy streaming music from Spotify – especially if you are one of its 60 million paying customers for “premium” services – you might want to make sure you have a strong, long and unique password on your account. If not, you could be letting cybercriminals into your account.
Collective Labs’ Ryan Jackson came across a brute force hacking tool called Spotify Cracker v1 last month, which automatically cycles through known username and password combinations and breaks into Spotify accounts that use those credentials.
17-year-old Jackson, who reportedly has a history of involvement with hacking groups New World Hackers and Lizard Squad, (“while never participating in their antics”), told the International Business Times (IBT) that he found the tool on a private server on Discord – a popular, free online communications platform used primarily by gamers.
And given current Spotify login security protocols – the company doesn’t use CAPTCHAs or offer two-factor authentication (2FA) – it doesn’t meet much resistance. Without mechanisms to lock down an account after a certain number of incorrect password guesses, a brute force attack can simply keep guessing until it is successful.
Hackers can easily collect login credentials – email addresses and passwords – that have been compromised from other breaches and are available on dark web marketplaces, sometimes for free, and then plug in those credentials to find a Spotify account associated with them.
Jackson tried it himself. He found a collection of emails and passwords on Pastebin – the anonymous service that lets people host text for free – and said that it took him about 15 minutes to break into 100 accounts using the tool. He said someone could simply let the tool run all night and wake up to another 20,000 compromised accounts.
Spotify, based in Sweden, didn’t respond to a request for comment, but IBT reported that the company said it had not been breached and that, “our user records are secure.” A spokesperson added:
We do however pay attention to breaches of other services, and take steps to help our users secure their Spotify accounts when those occur, because many people use the same login and password combination for multiple services. Therefore, we review sites such as Pastebin and others for leaked user credentials which might be used to access Spotify.
The company didn’t respond to questions about whether any of those “steps” would include adding more robust security features to its login process.
Still, its lack of login security, even after Collective notified it about Spotify Cracker, has prompted some well-deserved criticism, such as the following tweet from high-profile security blogger Brian Krebs:
Well what about it @spotifycares? How hard is it to put a captcha there?
— briankrebs (@briankrebs) December 28, 2017
CAPTCHAs and 2FA aren’t cutting edge – they’re basic security hygiene that any company with 140 million users ought to have in place.
Until that changes, it’s up to users to protect themselves.
Which means making sure your password is complicated and robust, and not using the same one for any other online account. Here’s a quick video on how to pick a good one:
Paul Thomas (@PaulSouthWales)
I suspect that a lot of people use FaceBook OAuth to login to Spotify.
Spotify pushes it very heavily. It would be interesting to know the % that use FB to logon.
Alex
I had my Spotify account compromised. I use Facebook OAuth, but my Spotify account also had its own Username and Password associated with it, a very old one and not very strong! I noticed because my “Discover Weekly” playlist (spotify recommend tracks to listen to based on your recent listening patterns) was filled with Grime music, and I’d get weird disconnects. I changed all my passwords except my Spotify password as I didn’t know this existed because I always used Facebook OAuth and it still happened.
Eventually did a forgotten password on my Spotify account and changed that password and it stopped happening. Luckily the hacker didn’t change my password and lock me out, I think he just wanted to get Spotify Premium without paying! I was just left with awful Discover Weekly playlists, and my “Look Back on 2017” playlist was just as bad! I would imagine there are others out there who don’t realise their Spotify account has a seperate password associated with it, and not just Facebook OAuth!
Packethopper
and what exactly would cybercriminals do after hacking into my free Spotify account – apart from gain access to my extremely uncool playlists? This is one of the sites I deem ultra-low-sec-password required, hence I use a very simple, easily-remembered password – the same one I use on lots of other “so-what?” sites. I’m sure someone will explain what the big issue is here. If I had a paid account linked to my bank that would be different.
Mark Stockley
I’m in two minds over this. What you’re doing is in line with recommendations from Microsoft Research, who dig deep into password security and what actually works and what doesn’t in the real world. They agree: use simple and easy to remember passwords for “so-what?” sites.
The biggest risks are probably: that you reuse a password from a “so what?” account with another account that’s more important to you; that you forget to make your password stronger if you later upgrade a “so-what?” account to something with PII or credit card data attached to it; that you open yourself up to social engineering attacks or better password guessing attacks by giving criminals access to private, non-PII data.
I prefer to use the principle of least privilege. I could sit here imagining what a crook might do with my “so-what?” accounts, but they have more time and more incentive to figure that out. There’s a risk I’ve missed something, or that things will change in future and I won’t adapt appropriately.
You can remove those risks using a password that the crooks stand no chance of cracking – which in an online brute force attack probably only needs to have about six characters (see https://nakedsecurity.sophos.com/2014/10/24/do-we-really-need-strong-passwords/).
Since I use a password manager there’s actually no additional cost to me using a password that the crooks stand almost no chance of cracking even in they steal the password database and use specialist cracking hardware, which needs about 14 characters.
George James Newkirk
i have worry about a password bc i log in with facebook i really do not know what password is