When a hack, is not a hack

ID NotifyTechCrunch reported last week that the streaming music service Spotify suffered a security breach. A list containing hundreds of account credentials, including emails, usernames, passwords and other account details, appeared on the website Pastebin on April 23. If you’re a Spotify user, you will likely want to change your password.

Some Spotify users noticed suspicious activity on their accounts, like deleted playlists, unknown songs had been listened to, and one user event got locked out during a streaming session.

However, Spotify denied the allegations in a statement: “Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords.”

If the company did not in fact experience a breach, how can this activity be explained?

The answer: Poor password security on behalf of the consumer. While companies have a responsibility to maintain a user’s security, consumers are equally responsible for the security of their online accounts. Many consumers reuse the same login credentials (username and password) across multiple sites. Cyber criminals may steal data from one site and find the same credentials work on other sites. This is likely the case with the recent Spotify incident.

And, Spotify isn’t the first company to get called out in the media for lost credentials due to user’s poor password habits. Both Uber and PayPal have had account information compromised in the past few months.

For advice on how to create strong passwords, check out our blog post on the topic here.