Spotify Forces Users to Change Passwords After Detecting 'Suspicious Activity'

According to the official filings, Spotify has around 217 million monthly active users, and of them, close to 100 million are Spotify Premium subscribers. All these people trust the streaming platform to give them quick and easy access to a humongous collection of music from different genres and eras, and the fact that it continues to be the most widely used service of this kind shows that on that front, it's doing a good job. Spotify is also responsible for keeping the data of all these people safe, however, and users are only right to expect that, should something go wrong, they will be informed about all the details. Someone apparently thinks that they are asking too much.

Before we see what's going on at the moment, we need to make one thing clear – Spotify accounts get hacked all the time, and as we'll find out in a moment, there's a very good reason for this. Despite the security experts' advice, people continue to use and reuse weak, easy-to-guess passwords, which means that large lists of Spotify subscribers' valid login credentials are extremely easy to obtain. As a result, people's accounts get compromised day in, day out.

Recently, however, many users took to social media to complain about an email they've received from Spotify which suggests that we're in the middle of a more active campaign targeting the streaming giant's subscribers.

Spotify sees “suspicious activity”

We couldn't find an actual screenshot of the email, but judging by what people are sharing, the notification isn't exactly detail-rich. Apparently, all affected users learn is that their passwords have been reset due to "suspicious activity" detected on their accounts. Some of you might feel happy about the way Spotify is handling the problem. Instead of waiting for users to get locked out of their profiles, the streaming service is proactively resetting their passwords, which, in theory, should eliminate the threat.

At the same time, however, the complete lack of details is not exactly impressive. Some people even doubted the legitimacy of the notifications and used Twitter to confirm that the email was indeed coming from Spotify.

Zack Whittaker from TechCrunch wanted to know more as well. He reached out to the streaming platform, and he was told in a rather brief statement that while they were performing some standard checks, Spotify's security people noticed some unusual data and decided to reset the affected accounts' passwords "as a precaution". A spokesperson also advised people to stop reusing passwords.

Based on that information, we can conclude that Spotify users are subjected to a relatively large-scale credential stuffing attack. Whittaker poked around some more, however, and he was not entirely convinced.

Was it really a credential stuffing attack?

As TechCrunch's report notes, some of the affected users claim that they have used unique login credentials for their Spotify accounts. If what they're saying is true, then the credential stuffing scenario just isn't adding up.

A couple of years ago, Spotify was also resetting passwords in an attempt to keep people's accounts safe. It was doing it because its security team found that some of its users' credentials had been leaked into the wild after data breaches at other services. People think that the same thing might be happening right now, but the lack of details means that this is all speculation. Zack Whittaker asked for additional information, but he received no response, and Spotify has not released any sort of official statement. For now, the reason for the password reset campaign remains a mystery.

It’s high time Spotify introduces two-factor authentication

Speaking of mysteries, it really is hard to fathom how in 2019, a major online service with hundreds of millions of users doesn't support any form of two-factor authentication (2FA). The company itself admits that it's in an ongoing battle with fraudsters, and yet when it comes to doing the one thing that can tip the scales in its favor, it seems inexplicably reluctant.

It's not like they don't know what 2FA is. Everybody does, and people have been urging Spotify to introduce it for years. Despite this, as of the time of writing, the idea, as posted on Spotify's official forums, is classified as "Under Consideration". We're not sure what they are working on at the moment, but the events described above suggest that someone in Spotify's HQ might need to reorder their priorities.