Links on Android Authority may earn us a commission. Learn more.
Here's why your Spotify account might have been hacked and how to secure it
For those of us old enough to remember, a carefully curated physical or digital music collection was once a thing of pride and joy. Today, of course, music streaming services like Spotify have taken over the duty of cherry-picking recommendations and giving you a non-stop stream of music tuned specifically to your taste. Now imagine if someone had the power to wreak havoc on that carefully tuned stream of music, or worse, lock you out of your own account. Unfortunately, a quick look around social media suggests that there has been a noticeable uptick in users reporting that their Spotify Premium accounts have been “hacked” and accessed without their permission.
What is going on here? Why is are these Spotify Premium hacks happening, and more importantly, how do you secure your Spotify account against these hacks?
Why was my Spotify Premium hacked?
While Spotify has not acknowledged a wider issue, looking at user reports from Premium-tier subscribers paints a dire picture. The reports range from the relatively innocuous, where user accounts are being used to listen to music for free while still leaving you access, to much more nefarious attempts, including those where the user is completely locked out of their account with their bank details still linked to the service. The hacker can then continue to use the account for free, leaving you with no easy means of taking back your account.
A quick peek around the internet shows us how widespread the issue is. Over on Twitter, there is a new user report every few minutes complaining about accounts being taken over:
The degree of “hacking” varies quite a bit. Some of the most common instances include perpetrators only using the account for listening to music. Since Spotify only allows one stream at a time, this leaves the user stuck in a proverbial tug-of-war to see who will get to play music at any given time. This might sound funny, but it can get irritating real quick. Not only is it a nuisance, it also completely throws off Spotify’s music recommendations algorithm. The beauty of Spotify is its ability to provide you a world of music, tuned and tailored exactly to your preferences. With the hacker’s music listening data linked with yours, you could very well be bombarded by euro-pop while relaxing to your favorite jazz playlist. Not cool!
Things can, of course, take a far more serious turn as well. There are more than a few instances of account email addresses and passwords being switched out. Once that is done, you are essentially locked out of your own account. This also leaves with you without the ability to remove your bank account details.
Hacked accounts are being used to increase play counts of obscure artists by the thousands.
Closer digging reveals that something a bit more sinister might be at play. Over on Reddit and Spotify’s own community forums, dozens of users have noted that hacked accounts are being used to rack up hundreds or even thousands of listens for obscure albums of DJ mixes or short ambient listening tracks.
A BBC report confirmed that ever since Spotify allowed independent artists to make their music available on Spotify without involving labels, there has been a number of no-name artists with no digital presence racking up a disproportional number of streams. Since artist earnings are completely tied into the number of streams, it is easy to put two and two together. It would appear that there’s a larger nexus at play to drive up revenues for borderline fake albums using hacked Spotify Premium accounts.
We reached out to Spotify to get a better understanding of the issue at hand. The company told Android Authority that it is aware of bad actors throwing up albums specifically meant to manipulate the streaming giant’s algorithms. On its end, Spotify claims to be making a concerted effort to remove these albums.
The company confirmed that it is using AI and machine learning patterns to identify individuals gaining a very high number of streams in a short span of time. This raises flags and allows the company to better scrutinize if the artist is legitimate or not.
How could this be happening?
Here’s where things get complicated. In our conversation with Spotify, the company placed the blame squarely on users. Specifically, the company says that users often share passwords with friends or family who might end up reusing weak passwords between services. When passwords get leaked, it is fairly trivial to brute force to see if the account is valid. Freely available tools can take a database of thousands of compromised emails, passwords and brute force them to try and gain access on Spotify, other services.
We reached out to security analyst and founder of Have I Been Pwned, Troy Hunt, who had the following to say on the subject of password reuse:
Spotify clearly needs to be more resilient to this form of attack and they have a role to play in better protecting their customers even when the account takeovers stem from poor customer security practices. Adding [two-factor authentification] capability is a good example, although the problem with that is there’s always exceptionally low adoption rates (Dropbox has about 1% of customers turn it on) and those who are aware enough to use it are more likely to practice good password hygiene in the first place!
However, that’s not the only way accounts can get taken over. Back in 2018, Facebook revealed a breach in their access token system (h/t The Guardian). This breach affected over 50 million users. This same access token system can be used to login to a Spotify account if you have yours linked to your Facebook. Since then, Facebook claims to have revoked most of these access tokens.
Earlier still, hundreds of Spotify usernames and passwords showed up as a publicly accessible file on Pastebin indicating that hackers have had a way to get access to user credentials for a while now. There’s been no respite in users claiming hacked accounts which suggests that not all security loopholes have been closed off.
How can I stop my Spotify account from being hacked?
Rule number one of internet use: never reuse passwords. This might come across as standard internet advice, but a 2019 survey by Google of 3,000 netizens showed that 52% reused passwords across multiple sites. A single breach from a poorly secured website can end up with your password floating around the darker corners of the internet. There’s a good chance that most of us have created an account on a less than secure website. If you’ve reused your password, it is quite possible that it is available on the internet along with your email address. The aforementioned Have I Been Pwned is a great tool for checking to see if your email address has been compromised as part of a wider data breach. According to the site, over nine billion user accounts across over 400 websites have been breached to date.
Everyone should also be using a good password manager and locker. Combined with a strong, unique password, a good password locker can drastically reduce the chances of your account getting hacked. LastPass, for example, is a great option to generate unique passwords for every website and to store them safely. The app is cross-platform and lets you access your passwords on the go via the mobile app.
Spotify is yet to implement two-factor support despite repeated hacks.
A recent study by Microsoft claims that over 99.9% of account hacking attempts can be prevented by the use of multi-factor authentication. By requiring an additional authentication component, be it a one-time-password received via SMS, a secure authenticator like Authy or even a physical authentication key, the chances of your account getting breached reduce drastically.
Unfortunately, Spotify is yet to roll out two-factor authentication support for the streaming service. Despite multiple petitions and requests for secure authentication, the company hasn’t made any moves to enable the security feature. Spotify refused to comment when we reached out to confirm if two-factor support was something it was working on.
So how do I restore my hacked Spotify account?
If you still have access to your account, your best bet would be to go ahead and change the password. You should also go ahead and revoke access for third party services via Spotify’s website. Spotify makes this very straightforward. All you have to do is to head over to the official website and click on your account. From here, click on apps and you will be presented with a list of websites and applications that have access to your Spotify credentials. You can go ahead and revoke permissions for any app that you are no longer using. Similarly, changing the password is very simple. Over at the website, click on your account details to set a fresh password.
However, if the hacker has changed the associated email address and password, there are a few more steps involved. The issue is prevalent enough that Spotify’s support page provides a direct link for help in case your account has been taken over.
Spotify chat support is your best bet to regain your account, but you better have patience.
In this case, you will be connected to chat support and will need to provide additional documents like a payment invoice received on mail and a screenshot of a bank statement confirming payment for the service. Having been in the unfortunate position of using this myself, I can tell you it is a time-consuming process but it does work.
I’m done with this, what are the best Spotify alternatives?
It might be the most popular service, but Spotify is far from the only music streaming service around. In case you want high-resolution music, Tidal and Qobuzz are great alternatives. In fact, even Deezer offers high-resolution music that sounds markedly better than Spotify, provided you have the hardware to match.
Apple Music is yet another music streaming service that is fast shaping up to be a big player. At 45 million tracks, the music library is bigger than Spotify’s. It might come as a surprise, but Apple has done a really good job with the Android app. The interface is clean, the app supports a native dark mode, and it lets you beam audio to cast compatible devices. Additionally, Beats 1 radio is a rather compelling option to have for times when you just want to discover some fresh new music.
Another alternative is Amazon Music. It might have a smaller library than other services, but it’s included with any Amazon Prime subscription. Now that it has added high resolution audio support, it is the only place where you can listen to Dolby Atmos music which makes it a must-have in case you’ve invested in an Echo Studio.
Google Play Music, one of the earliest players in the music streaming business, is on the cusp of being shut down and Google has been trying to get people to switch over to YouTube Music as an alternative. The service combines a robust music library with the wider content of YouTube. Additionally, it remains as one of the few services that still offer a music locker to upload your own tracks. This is still an option for users with, particularly niche music libraries that wouldn’t be available for digital streaming otherwise. For everyone else, I’d recommend waiting till YouTube Music matures a bit and achieves feature parity with Google Play Music.
Despite being the largest music service, Spotify has an, ahem, spotty record of getting the basics right. For example, instead of a truly randomized shuffle option, it still runs algorithmically and you end up listening to the same tracks. I could go on about the missing features like support for lyrics, questionable UI changes (did we really need a shuffle button added to the play icon?), and myriad other pain points.
However, the lack of focus on security is a huge black mark on the world’s most popular music streaming platform. With just under 350 million monthly active users, Spotify owes it to its customers to take a proactive role in protecting accounts and there is really no excuse for the continued instances of account hacking.
Has your Spotify account ever been hacked? How difficult was it for you to gain back access? Let us know in the comments section.