Links on Android Authority may earn us a commission. Learn more.
How to secure your hacked Spotify account
For those of us old enough to remember, a carefully curated physical or digital music collection was once a thing of pride and joy. Today, music streaming services like Spotify have taken over the duty of cherry-picking recommendations and giving you a non-stop stream of music tuned specifically to your taste. Now imagine if someone had the power to wreak havoc on that carefully tuned stream of music, or worse, lock you out of your account. Unfortunately, there has been a noticeable uptick in Spotify Premium accounts being hacked and accessed without permission. How do you secure your Spotify account against these hacks?
To protect your Spotify account from possibly being hacked, use a unique password in tandem with a password manager app. Regularly changing your Spotify password is also a sound strategy to keep your account protected. Spotify still hasn't rolled out two-factor authentication support, making it hard to protect your account.
Why was my Spotify Premium hacked?
While Spotify has not acknowledged a broader issue, looking at user reports from Premium-tier subscribers paints a dire picture. User accounts are being used to listen to music for free while still leaving you access, while other users are locked out of their account with their bank details still linked to the service. The hacker can then continue to use the account for free, leaving you with no easy means of taking back your account.
A quick peek around the internet shows us how widespread the issue is. Over on Twitter, there is a new user report every few minutes complaining about accounts being taken over:
The degree of “hacking” varies quite a bit. Some of the most common instances include perpetrators only using the account for listening to music. Since Spotify only allows one stream at a time, this leaves the user stuck in a proverbial tug-of-war to see who will get to play music at any given time. This might sound funny, but it can get irritating quickly. Not only is it a nuisance, but it also completely throws off Spotify’s music recommendations algorithm.
The beauty of Spotify is its ability to provide you with a world of music, tuned and tailored precisely to your preferences. With the hacker’s music listening data linked with yours, you could be bombarded by euro-pop while relaxing to your favorite jazz playlist.
Things can, of course, take a far more serious turn as well. There are more than a few instances of account email addresses and passwords being switched out. Once that is done, you are essentially locked out of your account. This also leaves you without the ability to remove your bank account details.
Hacked accounts are being used to increase play counts of obscure artists by the thousands.
Closer digging reveals that something a bit more sinister might be at play. Over on Reddit and Spotify’s community forums, dozens of users have noted that hacked accounts are being used to rack up hundreds or even thousands of listens for obscure albums of DJ mixes or short ambient listening tracks.
A BBC report confirmed that ever since Spotify allowed independent artists to make their music available on Spotify without involving labels, there have been some no-name artists with no digital presence racking up a disproportional number of streams. Since artist earnings are completely tied to the number of streams, it is easy to put two and two together. It would appear that there’s a larger nexus at play to drive up revenues for borderline fake albums using hacked Spotify Premium accounts.
We reached out to Spotify to better understand the issue at hand. The company told Android Authority that it is aware of bad actors throwing up albums specifically meant to manipulate the streaming giant’s algorithms. On its end, Spotify claims to be making a concerted effort to remove these albums.
The company confirmed that it is using AI and machine learning patterns to identify individuals gaining a very high number of streams in a short period. This raises flags and allows the company to scrutinize better if the artist is legitimate or not.
How is the Spotify account getting hacked?
Here’s where things get complicated. In our conversation with Spotify, the company placed the blame squarely on users. Specifically, the company says that users often share passwords with friends or family who might reuse weak passwords between services. When passwords get leaked, it is fairly trivial to brute force to see if the account is valid. Freely available tools can take a database of thousands of compromised emails and passwords and brute force them to try and gain access to Spotify and other services.
We reached out to security analyst and founder of Have I Been Pwned, Troy Hunt, who had the following to say on the subject of password reuse:
Spotify clearly needs to be more resilient to this form of attack and they have a role to play in better protecting their customers even when the account takeovers stem from poor customer security practices. Adding [two-factor authentification] capability is a good example, although the problem with that is there’s always exceptionally low adoption rates (Dropbox has about 1% of customers turn it on) and those who are aware enough to use it are more likely to practice good password hygiene in the first place!
However, that’s not the only way accounts can get taken over. In 2018, Facebook revealed a breach in their access token system (h/t The Guardian), affecting over 50 million users. This same access token system can be used to log in to a Spotify account if you have yours linked to Facebook. Since then, Facebook claims to have revoked most of these access tokens.
Earlier still, hundreds of Spotify usernames and passwords showed up as a publicly accessible file on Pastebin, indicating that hackers have had a way to access user credentials for a while now. There’s been no respite in users claiming hacked accounts which suggests that not all security loopholes have been closed off.
How can I stop my Spotify account from being hacked?
Rule number one of internet use: never reuse passwords. This might come across as standard internet advice, but a 2019 survey by Google of 3,000 netizens showed that 52% reused passwords across multiple sites. A single breach from a poorly secured website can end up with your password floating around the internet’s darker corners.
There’s a good chance that most of us have created an account on a less than secure website. If you’ve reused your password, it may be available on the internet along with your email address. The aforementioned Have I Been Pwned is a great tool for checking if your email address has been compromised as part of a wider data breach. According to the site, over nine billion user accounts across over 400 websites have been breached to date.
Everyone should also be using a good password manager and locker. Combined with a strong and unique password, a good password locker can drastically reduce the chances of your account getting hacked. LastPass, for example, is a great option for generating unique passwords for every website and storing them safely. The app is cross-platform and lets you access your passwords on the go via the mobile app.
Spotify is yet to implement two-factor support despite repeated hacks.
A recent study by Microsoft claims that multi-factor authentication can prevent over 99.9% of account hacking attempts. By requiring an additional authentication component, be it a one-time password received via SMS, a secure authenticator like Authy, or even a physical authentication key, the chances of your account getting breached reduce drastically.
Unfortunately, Spotify is yet to roll out two-factor authentication support for the streaming service. Despite multiple petitions and requests for secure authentication, the company hasn’t made any moves to enable the security feature. Spotify refused to comment when we reached out to confirm if two-factor support was something it was working on.
So how do I restore my hacked Spotify account?
If you still have access to your account, your best bet would be to go ahead and change the password. You should also revoke access to third-party services via Spotify’s website. Spotify makes this very straightforward.
All you have to do is head over to the official website and click on your account. Click on apps, and you will be presented with a list of websites and applications that have access to your Spotify credentials. You can revoke permissions for any app that you are no longer using. Similarly, changing the password is very simple. Over at the website, click on your account details to set a fresh password.
However, if the hacker has changed the associated email address and password, a few more steps are involved. The issue is prevalent enough that Spotify’s support page provides a direct link for help if your account has been taken over.
Spotify chat support is your best bet to regain your account, but you better have patience.
In this case, you will be connected to chat support and will need to provide additional documents like a payment invoice received by mail and a screenshot of a bank statement confirming payment for the service. Having been in the unfortunate position of using this myself, I can tell you it is a time-consuming process, but it does work.
I’m done with this. What are the best Spotify alternatives?
It might be the most popular service, but Spotify is far from the only music streaming service. In case you want high-resolution music, Tidal and Qobuzz are great alternatives. Even Deezer offers high-resolution music that sounds markedly better than Spotify, provided you have the hardware to match.
Apple Music is yet another music streaming service that is fast shaping into a big player. At 45 million tracks, the music library is bigger than Spotify’s. It might come as a surprise, but Apple has done a really good job with the Android app. The interface is clean, the app supports a native dark mode, and it lets you beam audio to cast compatible devices. Additionally, Beats 1 radio is a rather compelling option to have when you want to discover some fresh new music.
Another alternative is Amazon Music. It might have a smaller library than other services, but it’s included with any Amazon Prime subscription. Now that it has added high-resolution audio support, it is the only place you can listen to Dolby Atmos music, making it a must-have if you’ve invested in an Echo Studio.
Google Play Music, one of the earliest players in the music streaming business, is on the cusp of being shut down, and Google has been trying to get people to switch over to YouTube Music as an alternative. The service combines a robust music library with the wider content of YouTube. Additionally, it remains one of the few services that still offers a music locker to upload your own tracks. This is still an option for users with particularly niche music libraries that wouldn’t be available for digital streaming otherwise. For everyone else, I’d recommend waiting till YouTube Music matures a bit and achieves feature parity with Google Play Music.
Despite being the largest music service, Spotify has a spotty record of getting the basics right. For example, instead of a truly randomized shuffle option, it still runs algorithmically, and you listen to the same tracks. I could discuss the missing features like support for lyrics, questionable UI changes (did we need a shuffle button added to the play icon?), and various other pain points.
However, the lack of focus on security is a huge black mark on the world’s most popular music streaming platform. With just under 350 million monthly active users, Spotify owes it to its customers to proactively protect accounts. There is no excuse for the continued instances of account hacking.
No, Spotify doesn’t support two-factor authentication.