Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: What happened to trigger my Spotify password reset?
10 points by philshem on May 22, 2019 | hide | past | favorite | 14 comments
Got this email today

> To protect your Spotify account, we've reset your password due to detected suspicious activity.

Haven’t used it recently or logged in to any new device. Leads me to suspect a data breach.

I had a similar issue not long ago. I went in and really changed it into a massive 50 character pw.

My spotify account was hijacked in 2017 and managed to get it back - someone from Tunisia - he had the audacity to start creating playlists full of autotune rappers. I wouldn't mind sharing but man his taste in music was awful.

Same thing happened to me, right around the same time. Also my hijacker shared a similar taste in music to yours! Spotify denied that they had any database breaches, but I only use that password for spotify so I find that highly unlikely.

Yes. And my login is specific to spotify, eg. *+spotify@gmail.com

Was there some kind of big breach in 2017? My account wasn't even pro! I just logged into my account after a couple months and someone else was using it!

Interesting. A couple months ago I did have some weird thing where some song I never heard of kept playing and starting again when I chose my own song. My account is a free one, and limited to one concurrent player, so I see no need to “share”

I received a 'Reset your Spotify password' email yesterday, sent to a unique email address I use only for Spotify. (And it's not of the commonly-used user+spotify@domain.com format.)

The only ways I can imagine someone would get that email address are:

A) From Spotify (i.e. breach)

B) From Google (as I linked my Spotify account to Google Home, which presumably shares the registered email address)

C) From some poor security practice on my part (e.g. maybe I entered the email address on a phishing site, or have malware on one of my devices, or someone has access to my email, ...)

D) Guessing it.

I had presumed C or D, but given the timing of your post, I'm now not so sure...

Maybe spotify downloaded a data breach and ran it against their db to force better password practices? My user/default password plaintext combo from when I was 15 was leaked in some EA hack a long time ago. That caused such a headache that I stopped using the same thing everywhere except free services. This initially included spotify. Then I upgraded to premium, and about a month later someone was trying to kick me out of my account (listening from their device) and kept playing weird music. Now everything has its own password. EVERYTHING.

They check passwords against other hacks, so if you used the same email-password combination somewhere else that would cause them to reset your account.

https://www.businessinsider.de/spotify-users-password-reset-... "Spotify's security team identified that some of the leaked user credentials might correspond to Spotify accounts"

My email for spotify login is unique, and of the form *+spotify@gmail.com

I assume that’s checked for. For simple SaaS projects compared to Spotify at least, things like that were checked.

more or less everyone analyzing email addresses knows that pattern, so it's easily ignored.

I had the same message a few days ago. I have family premium, so, I checked the family invites, and, there were 3 unknown invites that I hadn’t seen before (they hadn’t accepted them yet though). It seems odd that I wouldn’t get an email saying that a family invite was sent out.

Netflix has a great service of showing where the account was logged-in from. Spotify would benefit from the same.

i used a password for Spotify i used nowhere else...and yes...lots of music and artists and albums are being deepfaked...it's kinda fun..it doesn't seem to be malicious in my case but perhaps it is...but yeah...artists all of a sudden everywhere resemble my ex-boyfriend...hmmm ....some songs are actually delivering beautiful and insightful messages seemed to be tailored towards me too

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact