How my Spotify got hacked and how I met one of the strangers using it
Saturday evening. Our son has finally fallen asleep. The perfect time to listen to the new St. Vincent album.
I reach for the iPhone, open Spotify and then that!
"You're listening to iPhone de Felipe," the app warns in big letters.
Who the fuck is Felipe*, and what is he doing in my Spotify account?
A few years ago my wife and I used to have the problem that we threw each other out of our shared Spotify account and messed with each other's playlists. Since Spotify introduced family subscriptions, several people can listen to music at the same time, and my wife and I don't get in each other's way anymore.
But what is Felipe doing in my Spotify? Probably an accident, I think, click the warning away and start the St. Vincent album on my phone.
The first song has hardly started, when Felipe gets in the way and the music stops. Instead, he starts listening to Calvin Harris on his phone. I start the St. Vincent album again and only seconds later I can only watch as Felipe takes control again and listens to Calvin Harris.
Retaliation and revenge
Enough! Two can play that game! If he can hijack my account, I can control which music he plays - and how loud. I choose the Müüslilied by Trudi Gerster (a famous Swiss teller of children's stories who happens to also sing strange hippie songs) and turn the volume on Felipe's iPhone to its maximum.
The Müüslilied and the voice of Trudi Gerster do their hoped-for purpose. Felipe gives up, and I can listen to Spotify again undisturbed.
However, the initial amusement about the incident is giving way to a sense of insecurity. How did he get into my Spotify? A look at the settings shows that everything is even worse than expected.
In the list of my family members, who can use our Spotify, I find three other names and e-mail addresses that I have never seen before. I take screenshots and kick everyone out. I change my Facebook password (I log in to Spotify via Facebook). Then I contact Spotify-Support by mail and go to sleep.
Spotify support responds
The next morning I find new strangers in our family list and throw them out. I'm changing my Facebook password again and strongly recommend family members to change their passwords too.
During the course of the day, the Spotify support team contacts me by e-mail. After I have proven myself as the true owner of the account with an old receipt, the account is closed and my data is transferred to a new one. Four days and a few emails later I can listen to music again undisturbed, and everything looks as if nothing ever happened.
Only my questions about the why and origin of the unwanted Spotify visitors are not answered by the support. They don't have access to the necessary information.
What does Spotify say?
As a customer, I would have had to settle for that. As a journalist, I contact Spotify's press office with a detailed list of questions. The streaming service, however, only sends a statement via a German PR agency:
"Spotify was not hacked, and our user data is secure. When we find Spotify credentials on external websites, we first verify that they are authentic. If this is the case, we immediately notify affected users to change their passwords. In addition, all users can contact our customer service or community at email@example.com to report or avoid any fraudulent and/or phishing attempts."
I ask them again if that's really all they are going to say - after all, my case shows that user data is not secure and I wasn't warned either. But there is no new answer.
So I have only one thing left to do: write to the unwanted visitors of my Spotify account. After all, I have their e-mail addresses.
I formulate a friendly mail and wait.
After one day Bhaskar* from Kathmandu answers. He apologizes for using my Spotify. In Nepal, they don't have a Spotify and could only use the service via hacked user accounts. He's very sorry, and he hopes I'm not angry with him. Of course, I'm not. I'm much too curious.
In the course of the following e-mail conversation, he explains to me how easy it is to get log-in data. There are special websites and Facebook pages for this purpose. In the best case scenario, he could use Spotify for up to five days. Then he usually gets thrown out and has to get a new login.
In one of his emails, Bhaskar sends me a screenshot of a section of such a list. It contains Spotify passwords, whether it is a premium or family account and when the monthly payment is due. All data seems up to date. Some payments are due by the end of October, others are due in November. I also see parts of the e-mail addresses required for logging in. Only the names of the email-providers are visible. The names aren't included in the screenshot.
I show the list to a security expert I trust. He can easily find the complete list with a simple Google search on a freely accessible, well-known portal. The list, of which Bhaskar sent me a screenshot of, was published on October 18 and contains 26 user accounts.
The security professional tries out the first three log-ins on the list. The first two won't work. But already the third log-in works. So the list is genuine. There's no doubt about it.
Now that we've found the list, we'll start looking for others. After all, I still don't know how Felipe, Bhaskar, and the others could get into my Spotify account. With a simple search, we find another list from October 13th. It has 50 user accounts on it. Among them my Spotify log-in.
To my surprise, next to my e-mail address used, there is an age-old password that I have completely forgotten. Apparently, I used it to log into my Spotify before I started using Facebook. The password has probably remained active all the time, although I forgot it long ago.
So that's how Felipe, Bhaskar, and Co. got into my Spotify one day after the list was published. I am a little bit relieved that none of my current and relatively long passwords are affected. Nevertheless, I would like to know where all the information on the list comes from. Was Spotify hacked or was another service hacked, and someone tried the log-in data at Spotify? Spotify did not want to comment on this either.
Comfort triumphs - for the time being
I will keep my Spotify account for now and not switch to Apple Music with the whole family. Not least for convenience and because Apple Music does not yet work with third-party services such as Last.fm or Pacemaker. Nevertheless, I wish Spotify would take the security of its customers more seriously.
If lists with current account data circulate on the Internet in such an easily accessible way, all alarm bells should ring at the Swedish streaming primus.
Especially since my problem is by no means an isolated case. There are numerous similar cases on the net and in forums, some of which date back years. Some Spotify users were significantly less fortunate than me and were even locked out of their own accounts by the unwanted visitors.
It is all the more incomprehensible that Spotify does not solve the problem, as it would be easy to avoid all that trouble. It happens every now and then that a web service is hacked. In this case, all passwords are usually reset for security reasons, and you have to create a new one. I've never seen that happen with Spotify.
But there is another solution: almost all major technology companies, web services, and banks use the so-called two-factor authentication. With it, it is not enough to know your e-mail address and password. You must also enter a code, you get sent by SMS, for example. It's high time that Spotify introduced at least that security measure and made security a priority.
Finally, I hope that Spotify will soon be available in Nepal. I now know someone there who would be very happy about it.
*All names have been changed but are known to the editorial staff.
This article was first published in the Swiss newspaper Tages-Anzeiger and was later translated into English for Zeipad.