Music streaming giant Spotify has notified an unspecified number of users that the company has reset their account password, but has left dozens of users asking why.
In an email, some Spotify users were told their password was reset “due to detected suspicious activity,” but gave no further details.
Anyone else getting emails from Spotify about suspicious activity? No compromise, at least not on my account, just seems to be getting hammered
— Chris Barsby (@Barsbeh) May 16, 2019
Suspicious activity detected on my Spotify account.
— NK (@NonoGerrard) May 21, 2019
Spotify just reset my password due to 'suspicious activity'. Did someone hack in to listen to Justin Bieber or something?
— P13 (@apaulothirteen) May 16, 2019
When reached, Spotify spokesperson Peter Collins said: “As part of our ongoing maintenance efforts to combat fraudulent activity on our service, we recently shared a communication with select users to reset their passwords as a precaution. As a best practice, we strongly recommend users not to use the same credentials across different services to protect themselves.”
In other words, Spotify says this is a credential stuffing attack, where hackers take lists of usernames and passwords from other breached sites and brute-force their way into other accounts.
We contacted several people who received the email reset message. Some used the same password across different websites and some used passwords unique to Spotify. Two people who commented on this Hacker News thread also said their passwords were unique, casting doubt on the veracity of a credential stuffing attack.
It’s not uncommon for companies to reset user passwords if they believe they are weak or easily guessed. Companies typically don’t store user passwords in plaintext. Instead, they scramble passwords using a hashing algorithm. By scrambling lists of weak or stolen passwords using the same algorithm, companies can match weak passwords against their own databases and proactively send out password reset emails.
Netflix, Facebook and Spotify too have all proactively reset account passwords in the aftermath of third-party data breaches by obtaining the data set and matching exposed passwords against their databases.
Spotify did not respond to our follow-up questions.