Skip to main content

Thousands of Spotify accounts hacked - here's what you need to know

(Image credit: George Dolgikh /

Thousands of Spotify users have been urged to check their security protection following a major cyberattack on the service.

The music streaming platform is reportedly being hit by a "credential stuffing" attack that could allow hackers to take over user accounts, disrupting playlists and profiles, with around 300 million Spotify attacks at risk.

Such attacks look to utilise login details and personal information gathered from seperate data breaches or cyberattacks to gain access to specific platforms.

Spotify account hack

A report from VPNMentor has highlighted how a database containing over 380 million records is currently being used to hack into Spotify accounts, with the company's app and online platform both affected.

The affected Elasticsearch database, thought to be from a third party rather than internal, contained 72GB of Spotify user data including usernames, email addresses, passwords, and a note on whether the information will allow access to an account.

It's unclear how the database was compiled, but such resources are typically put together following major data breaches or cyberattacks on other online targets, before being released either for free or under payment on the Dark Web.

VPNMentor noted that the database was "completely unsecured and unencrypted", suggesting the former, with the team able to access the information via browser, "manipulating the URL search criteria into exposing schemata from a single index at any time".

VPNMentor says it contacted Spotify about the exposed database on July 9, with the latter responding almost immediately.

"In response to our inquiry, Spotify initiated a ‘rolling reset’ of passwords for all users affected. As a result, the information on the database would be voided and become useless," the researchers stated.

Spotify added that all compromised accounts were issued a password reset in July, and users should change their login details now if they haven't already. If they have re-used their Spotify passwords on other accounts, these should also be changed immediately in order to make sure no weak spots remain.

Via Bleeping Computer