Tune streaming giant Spotifyhas notified an unspecified quantity of customers that the corporate has reset their legend password, nonetheless has left dozens of customers asking why.
In an email, some Spotify customers had been suggested their password became as soon as reset “ensuing from detected suspicious deliver,” nonetheless gave no additional itsy-bitsy print.
Someone else getting emails from Spotify about suspicious deliver? No compromise, no longer no longer as a lot as no longer on my legend, well suited appears to be like to be getting hammered
— Chris Barsby (@Barsbeh) Might perchance 16, 2019
Suspicious deliver detected on my Spotify legend. 🤷🏻♀️
— NK (@NonoGerrard) Might perchance 21, 2019
Spotify well suited reset my password ensuing from ‘suspicious deliver’. Did somebody hack in to hearken to Justin Bieber or one thing?
— P13 (@apaulothirteen) Might perchance 16, 2019
When reached, Spotify spokesperson Peter Collins mentioned: “As allotment of our ongoing upkeep efforts to combat flawed deliver on our provider, we goal lately shared a verbal change with acquire finish customers to reset their passwords as a precaution. As a simplest apply, we strongly recommend customers no longer to make employ of the connected credentials at some level of diversified products and services to provide protection to themselves.”
In other phrases, Spotify says right here is a credential stuffing attack, where hackers snatch lists of usernames and passwords from other breached sites and brute-power their approach into other accounts.
We contacted a lot of those who got the email reset message. Some feeble the connected password at some level of diversified websites and a few feeble passwords weird to Spotify. Two those who commented on this Hacker News thread also mentioned their passwords had been weird, casting doubt on the veracity of a credential stuffing attack.
It’s no longer extraordinary for companies to reset individual passwords in the occasion that they factor in they are previous or without peril guessed. Companies customarily don’t retailer individual passwords in plaintext. Instead, they mosey passwords the employ of a hashing algorithm. By scrambling lists of previous or stolen passwords the employ of the connected algorithm, companies can match previous passwords in opposition to their have confidence databases and proactively ship out password reset emails.
Netflix, Facebook and Spotify too grasp all proactively reset legend passwords in the aftermath of third-celebration recordsdata breaches by obtaining the records dwelling and matching uncovered passwords in opposition to their databases.
Spotify did no longer acknowledge to our apply-up questions.
Customers of Chipotle, DoorDash and OkCupid grasp all reported legend hacks in recent months. All three grasp denied recordsdata breaches.