
Ask HN: What happened to trigger my Spotify password reset? - philshem
Got this email today<p>&gt; To protect your Spotify account, we&#x27;ve reset your password due to detected suspicious activity.<p>Haven’t used it recently or logged in to any new device. Leads me to suspect a data breach.
======
TadaScientist
I had a similar issue not long ago. I went in and really changed it into a
massive 50 character pw.

My spotify account was hijacked in 2017 and managed to get it back - someone
from Tunisia - he had the audacity to start creating playlists full of
autotune rappers. I wouldn't mind sharing but man his taste in music was
awful.

~~~
IpV8
Same thing happened to me, right around the same time. Also my hijacker shared
a similar taste in music to yours! Spotify denied that they had any database
breaches, but I only use that password for spotify so I find that highly
unlikely.

~~~
philshem
Yes. And my login is specific to spotify, eg. __*+spotify@gmail.com

------
rahimnathwani
I received a 'Reset your Spotify password' email yesterday, sent to a unique
email address I use only for Spotify. (And it's not of the commonly-used
user+spotify@domain.com format.)

The only ways I can imagine someone would get that email address are:

A) From Spotify (i.e. breach)

B) From Google (as I linked my Spotify account to Google Home, which
presumably shares the registered email address)

C) From some poor security practice on my part (e.g. maybe I entered the email
address on a phishing site, or have malware on one of my devices, or someone
has access to my email, ...)

D) Guessing it.

I had presumed C or D, but given the timing of your post, I'm now not so
sure...

------
arcboii92
Maybe spotify downloaded a data breach and ran it against their db to force
better password practices? My user/default password plaintext combo from when
I was 15 was leaked in some EA hack a long time ago. That caused such a
headache that I stopped using the same thing everywhere except free services.
This initially included spotify. Then I upgraded to premium, and about a month
later someone was trying to kick me out of my account (listening from their
device) and kept playing weird music. Now everything has its own password.
EVERYTHING.

------
mtmail
They check passwords against other hacks, so if you used the same email-
password combination somewhere else that would cause them to reset your
account.

[https://www.businessinsider.de/spotify-users-password-
reset-...](https://www.businessinsider.de/spotify-users-password-reset-not-
hacked-other-companies-data-breaches-reuse-account-logins-2016-9?r=US&IR=T)
"Spotify's security team identified that some of the leaked user credentials
might correspond to Spotify accounts"

~~~
philshem
My email for spotify login is unique, and of the form *+spotify@gmail.com

~~~
skinnymuch
I assume that’s checked for. For simple SaaS projects compared to Spotify at
least, things like that were checked.

------
majormunky
I had the same message a few days ago. I have family premium, so, I checked
the family invites, and, there were 3 unknown invites that I hadn’t seen
before (they hadn’t accepted them yet though). It seems odd that I wouldn’t
get an email saying that a family invite was sent out.

~~~
philshem
Netflix has a great service of showing where the account was logged-in from.
Spotify would benefit from the same.

------
psilocybergirl
i used a password for Spotify i used nowhere else...and yes...lots of music
and artists and albums are being deepfaked...it's kinda fun..it doesn't seem
to be malicious in my case but perhaps it is...but yeah...artists all of a
sudden everywhere resemble my ex-boyfriend...hmmm ....some songs are actually
delivering beautiful and insightful messages seemed to be tailored towards me
too

