Spotify - Hacked or Breached (and Email Address)

SaberX on 05/05/2019 - 23:54
Last edited 06/05/2019 - 11:30 by 1 other user

TL;DR

All, looking for some advice on internet security and what they may be trying to do (potential breach of accounts).

I have had some issues with spotify having to "relogin" between sessions over the last month or two, but otherwise nothing odd. Prior to that I could reopen spotify days later on my phone or computer and it was remained logged in. Nothing suspicious otherwise. But very annoying.

Tonight I was trying to play a song for the mrs and it kept stopping and i would be "listening on" another device, some other unrecognizable song.

I noticed the "Listen on other devices" had chromecast suggestions and "Spotify connect" had a SM-J730F device. Alarm bells went off and i was unable to reset my password to my email address - kept saying not found. After confirming I had spotify emails from this account I tried my "username" as my mobile was still logged in. Voila. I could access my online account login on the laptop.

Lo and behold, I had another email address listed: "[email protected]" - removed the XXXX for anonymity. After panicking I firstly logged all devices out of spotify via the web browser. Changed my email back to a dummy email (under my control) then reset my password.

Now I am just wondering - has spotify suffered a data breach? A quick google seems to indicate other "premium" users complaining too (i am on a premium family plan shared). I am generally 'savvy' enough to not be breached, but this is quite concerning. My main worry is - have my emails been breached? These are the gatekeepers of all of life's websites and password resets. Assuming not?

But it begs the question - how the hell was i breached? Has anyone had recent issues? I did search through my hotmail and I received an email late fri night - totally went under my radar - haven't even read it. It is in french I believe. I had it translated, and basically it was the email change. How the hell does spotify allow a change in email without confirmation from your email account? What sort of strength integrity is that? Any basic function is to require a confirmation email before changing a connected email.

And why did they not change my login password and only my email address? Can i assume this password is "compromised"? I use it alot on "basic" websites to login, and my stronger password combos on more important data (banks etc.) - so I am tossing up how much do I need to burn and change?

Edit: my recently played spotify has "A.L.A" artist, "Deux feres by PNL" and "MOdus Mio" by Sero El Mero. The spotify emails I received notifying me of them changing the email address appear to be in French so presumably from there.

Update: after securing my spotify back, I've changed the password and also my hotmail linked account password. Interestingly I noticed in my "recent activity" list in hotmail some dodgy entries.

Whilst throughout the month I got the odd unsuccessful synch on IMAP and POP 3 from various countries, since Friday night I have received a few unsuccessful syncs for IMAP and POP3 . THe email changing my spotify came friday just before 10PM so it coincides.

Can anyone advise what they are trying to do? Hotmail states these were "Type: Unsuccessful sync" But i am somewhat unnerved as i take it this means someone is trying to synch to my email address. Good luck to the (23k emails) but a lot of it is junk newsletters, but still some attached logins. So I am somewhat worried about the breach.

Can unsuccessfully trying to synch emails mean they managed to access anything? Is there anything I can do? Or are they just "fishing" for a successful login now that my email address must be publicly on the WWW?

Interestingly start of last week I read articles on "browser compartmentalization" and began the journey of seeing how I could segregate my accounts browser from everyday stuff. I just started creating new email addresses to ditch this old hotmail as it was clogging with newsletters and junk, but it was sentimental as it has been with me since msn days (worried old connections in 30 years will come knocking).

At the same time I started installing the TOR browser, as well a the Brave browser on my mobile, as well as on my home laptop. Surely using Brave or TOR browser would not compromise me?? Given my phone is already connected via the gmail and android app to my accounts ? I presume a dodgy app could read this data or intercept it? Any advice?

"Yesterday 9:05 PM
Automatic Sync
Morocco
Protocol: IMAP
IP: 160.176.55.81
Account alias:
[email protected]

Time: Yesterday 9:05 PM
Approximate location: Morocco
Type: Unsuccessful sync
Look unfamiliar?
Secure your account
Protocol: IMAP
IP: 160.176.55.81
Account alias:
[email protected]

Time: Yesterday 7:41 PM
Approximate location: Morocco
Type: Unsuccessful sync
Look unfamiliar?
Secure your account
Protocol: IMAP
IP: 2603:1046:100:25::5
Account alias:
[email protected]

Time: Yesterday 3:42 AM
Approximate location: Not available
Type: Unsuccessful sync
Look unfamiliar?
Secure your account
Protocol: IMAP
IP: 2603:1046:803:1d::5
Account alias:
[email protected]

Time: Yesterday 3:41 AM
Approximate location: Not available
Type: Unsuccessful sync
Look unfamiliar?
Secure your account
Protocol: IMAP
IP: 197.0.179.24
Account alias:
[email protected]

Time: Yesterday 1:55 AM
Approximate location: Tunisia
Type: Unsuccessful sync
Look unfamiliar?
Secure your account
Protocol: POP3
IP: 105.102.139.161
Account alias:
[email protected]

Time: Yesterday 12:11 AM
Approximate location: Algeria
Type: Unsuccessful sync
Look unfamiliar?
Secure your account
Protocol: IMAP
IP: 43.239.208.244
Account alias:
[email protected]

Time: 5/3/2019 10:33 PM
Approximate location: India
Type: Unsuccessful sync
Look unfamiliar?
Secure your account
Protocol: IMAP
IP: 197.0.179.24
Account alias:
[email protected]

Time: 5/3/2019 9:19 PM
Approximate location: Tunisia
Type: Unsuccessful sync
Look unfamiliar?
Secure your account
Protocol: IMAP
IP: 34.74.119.204
Account alias:
[email protected]

Time: 5/3/2019 7:09 PM
Approximate location: United States
Type: Unsuccessful sync
Look unfamiliar?
Secure your account
Protocol: IMAP
IP: 193.61.207.180
Account alias:
[email protected]

Time: 5/1/2019 3:37 AM
Approximate location: United Kingdom
Type: Unsuccessful sync
Look unfamiliar?
Secure your account
Protocol: IMAP
IP: 2408:825c:3283:fa23:dcf6:e1c9:4f94:f495
Account alias:
[email protected]

Time: 4/23/2019 10:40 PM
Approximate location: Not available
Type: Unsuccessful sync
Look unfamiliar?
Secure your account
Protocol: IMAP
IP: 36.89.228.201
Account alias:
[email protected]

Time: 4/12/2019 12:35 AM
Approximate location: Indonesia
Type: Unsuccessful sync
Look unfamiliar?
Secure your account
Protocol: IMAP
IP: 191.241.226.173
Account alias:
[email protected]

Time: 4/5/2019 8:04 AM
Approximate location: Brazil
Type: Unsuccessful sync
Look unfamiliar?
Secure your account
"

Entertainment

Related Stores

Spotify
Spotify

Comments

  • Clear on 05/05/2019 - 23:56
    +3

    Check your email addresses against Have I been Pwned as it'll check your email against known data breaches.

    • SaberX on 06/05/2019 - 00:25
      +1

      Have checked that years ago and was already breached. Even ye old neopets from back in the 2000s was a known data breach, however I had persisted with this email address. I never had any problems though until now? I presume apart from spam, if you change your passwords to unique ones since the breaches then the worse they can do is spam your email address?

      Presumably need to come up with a way of creating unique passwords rather than revolving a good 5-6 strong ones, as presumably if one is compromised if they somehow link it with another account or worse an email address then the whole house of cards would come falling.

      • Quantumcat on 06/05/2019 - 07:02
        +2

        Presumably need to come up with a way of creating unique passwords rather than revolving a good 5-6 strong ones

        Yes you do. Use LastPass or similar.

    • SaberX on 06/05/2019 - 00:29

      There we go. From the haveibeenpwned. THis one is new. 3 May - corresponds to friday. How the heck did my spotify get leaked on this list only recently? Does this mean spotify was recently breached? Or sometime ago and only just released?

      Perhaps someone can explain what this "pastes " is? And how it relates to my compromising once released?

      Pastes you were found in

      A paste is information that has been published to a publicly facing website designed to share content and is often an early indicator of a data breach. Pastes are automatically imported and often removed shortly after having been posted. Using the 1Password password manager helps you ensure all your passwords are strong and unique such that a breach of one service doesn't put your other services at risk.

      Paste title Date Emails
      609x Spotify Premium 3 May 2019, 13:18 670

      • Typical16-bitEnjoyer on 06/05/2019 - 08:43
        +3

        Spotify was not breached. Your email was breached. They have discovered your Spotify subscription (along with all other logins for services you use) via your email account. They have then onsold the login details cheap.

        They don't change the password hoping that you will not notice and can ride off your premium subscription for as long as possible. It's in their best interests to not change the password so as not to alert you as they would lose access\you would cancel the account. Likely whoever has "paid" for your Spotify premium details has shared it with others and thus now too many people have simultaneously logged in alerting you.

        As for your Hotmail, a single user is still attempting unsuccessfully to regain access via a VPN etc. or they have sold your account details as well.

        You don't need to ditch your email address.
        Just start using LastPass or KeePass etc. and never type your LastPass/KeePass into a browser window EVER.

        • SaberX on 12/05/2019 - 15:22

          If they had breached my email then wouldn't they have changed my email address password and associated as it has alot more important information than said spotify? GIven they hadn't synched successfully by IMAP I presume they didn't have the email password as I only tried to change my email password after the spotify breach (and they had already failed to access the email).

          I presume the "email" itself was leaked with the password that was used to discover and breach Spotify etc. , and the attempts to then use these same passwords to take over the email? on Monday i received an email from goodreads who notified me of suspicious activity and had "changed my password". Worrying as goodreads isn't even a high value target I mean it keeps my books i've "saved" for my own library recording…. but obviously theey must be fishing the web for various sites? I cahnged my amazon password and will tonight be going through most major websites - book ddepository etc. to change my more 'basic' passwords that may have doubled up with the spotify one.

          Proided it is 'synching unsuccessfully" there is no way an IMAP or POP attempt to synch could have taken any emails? As if it's unsuccessful I presume they're blocked altogether?

          I was thinking of starting up with LastPass or KeePass…. would you recommend one? I saw KeePass on android/google play had various iterations, whereas lastpass had only one, so I was abit confused which was the legitimate KeePass.

          I know Authy for an authenticator app allows cloud backups so if your phone is lost it isn't too bad, does both LastPass and KeePass offer cloud backup in the event you lose your phone? Or is the sheer act of cloud based storing all the keys to your vaults a terrible idea?

          P.S. When you said never type your LastPass etc. password into a browser why is that? Can browser snooping steal it? Or are you referring to never doubling up your LastPass password with ANY browser based website password EVER?

      • spackbace on 06/05/2019 - 11:31

        Yeah I was the victim of a 'paste', thankfully nothing was affected. They likely try easy accounts, 1 they tried of mine was Fortnite, which alerted me to the login attempt.

        • SaberX on 12/05/2019 - 15:17

          I was reading the haveibeenpwned entry on "pastes" but am abit confused. Why would hackers "Paste" a dump of information accessed on the web for a website like HIBP to scoop up and potentially alert compromised users?

          • spackbace on 12/05/2019 - 15:23

            @SaberX: Get it out there for as many people as possible to access?

            I actually created an account on pastebin to report the paste I was in, though a google search found it on some PlayStation forum

            • SaberX on 12/05/2019 - 21:17

              @spackbace: I thought they would only want one person to access it i.e. the buyer of the information? or do people just post stuff for kicks to the masses to disclose all your information?

              I heard the playstation hack was bad - un encrypted data etc, was a terrible job. Perhaps that's why you ended up on the playstation forum?

              • spackbace on 12/05/2019 - 21:21

                @SaberX: I don't have a psn account lol never have so I'm not sure

  • [Deactivated] on 05/05/2019 - 23:59
    +2

    my $3 a month spotify account works fine, and has been working fine for like 2 years.

    this sounds like someone got your spotify login and password and sold it to someone who changed the email and password to try and use your account for cheap.
    you can literally buy hacked spotify accounts for under 1USD online.

    please include a tldr next time.

    • SaberX on 06/05/2019 - 00:23

      But why would user change the email and not the password? It meant i could login with my username and password still, and then change the email back - before promptly changing the password.

      Sorry, but what is the tldr for when creating a post? I thought it was for those who didnt read a long topic? Which i agree, i forgot to prewarn (given the copy and paste).

      • Ryanek on 06/05/2019 - 08:49

        why would user change the email and not the password

        Because you would find out and change your password.

    • SupplyandDemand on 06/05/2019 - 00:54

      How have you managed to get it for $3 a month?

      • SaberX on 06/05/2019 - 01:00

        Probably family shared account like me.

      • [Deactivated] on 06/05/2019 - 06:35

        Philippines account is approx 3.29 a month or so

  • JIMB0 on 06/05/2019 - 06:49
    +2

    This is what you get for using password1.

    • Ithinkimtheking on 06/05/2019 - 09:28
      +3

      how do you know my password

      • blitz on 06/05/2019 - 11:23
        +2

        Don't worry, do what I did and change it to password2

  • theHMASfriendship on 06/05/2019 - 07:49
    +1

    That is a long post.

    • SaberX on 06/05/2019 - 10:29

      The copy paste log Didnt help… :(

      I'll try and edit it shorter tonight. Admittedly i bashed it out trying to work late last night since this pushed me off course.

  • Typical16-bitEnjoyer on 06/05/2019 - 08:28

    Needs a TLDR

    • SaberX on 06/05/2019 - 10:29

      Updated. But surely one can quickly scroll to see the paste logs length?

  • Niftcow on 06/05/2019 - 12:42

    Definitely had your Spotify account details stolen and then sold on forums or darknet for cheap. I'd recommend using a password manager and generating different passwords for each website

    • SaberX on 06/05/2019 - 13:51
      +1

      How is this possible? Would it be mined off the spotify website or servers? I use my phone and laptop dor everything and dont recall logging into spotify publicly elsewhere. I am generally well protectrd on personal devices and if it was those which were compromisied then surely they Would steal banking details or other high hitters.

      I heard of password managers but arent they themselves if breached hold the keys to all your doors? Or is there a way or having a password manager easily portable with you i.e. your phone to ensure you can access anything remotely,which is protected? How does one choose a suitable password manager?

      • Niftcow on 06/05/2019 - 14:12

        I am in no way a security expert but I do work in IT.

        What i am assuming has happened, is that your Spotify password has been used on a site that has been breached before. Hackers buy massive dumps of password and email combinations and run some kind of script to check if that combination of password and email allows them to login to other websites (Spotify included). Banks invest heavily into security whereas Spotify just being a music streaming platform may not care about security as much (they probably do but when money is involved, people tend to care more lol). This is also all just a guess.

        As for password managers, yes in theory if someone had the master password to your password manager they would have access to all your passwords. However, the majority of security researchers and analysts do recommend using password managers because the security benefits far outweigh the risk of having an encrypted file with all your passwords on the internet/locally. You can have purely offline password managers, which you can carry around on a USB or other portable storage device but its naturally at the cost of convenience.

        Great video by Computerphile explaining password managers and how they work: https://youtu.be/w68BBPDAWr8

        Choosing a password manager is pretty much dependent on how much you're willing to sacrifice convenience - ie LastPass is a popular cloud based password manager or KeePass for offline).

        • SaberX on 06/05/2019 - 15:57

          Your first post is interesting. Perhaps then my password was dumped from another website. Indeed i may have used my email and this password combo on linkedin or another known data breach. However those breaches were some time ago?? Do they tend to post info awhile later in ordee to stay under radar?indeed my spotift was always my old everyday password… after all it's a free music streaming app. Sure i have premium via family plan but its stupid someone would steal it to use. I assume they're banking on me not loggin in while they use it for free?? Either way it's a service one can easily end your family plan and kick the account out so im surprised one would steal it. Would buyers knowingly purchase an on the cheap spotify account? Or are they marketed as genuine to unsuspecting buyers?? Surely not given they have to change the email address.

          Perhaps a rethink then when a haveibeenpwned entry shows a breach that all email and password combos with that account are wiped out across all one's accounts.

          I presume the safest thing is never to reuse your email passwords on normal accounts as they are the gatekeeper to your password reset emails.

          Regarding password managers - thanks for the tips and advice. Is there an easy to use recommendation where one can access it online alongside your websites on the go but also via your phone app? Sort of like how banks have OTP that work on your phone apps even when away from internet??

          I figure this would be best of both worlds vs the chances of me always carrying a physical usb stick. One would always be on comp or have their phone with them.

          • Niftcow on 07/05/2019 - 12:16

            @SaberX: Lastpass would probably be the best choice in that case. You can access your passwords through their website or via their android app.

        • SaberX on 06/05/2019 - 15:59

          By both online/offline access my reasoning also is if your phone suddenly dies (or is compromised) that having such a password manager which is backed up cloud/online so one can restore said password manager and app back onto a new phone. Rather than the info dies with your phone.

          • cwongtech on 14/05/2019 - 11:45

            @SaberX: Hey bud, I've been in your shoes as well.

            Password breached.

            Also check your Sent Items for any important documents that may personally identify you (100 pts of ID sent to employer for example)

            Enable 2FA on everything, live mail also has it now too.

            Be wary of your phone number being stolen by way of porting out a number.

            Since we use phone numbers to receive OTP codes from banks.. be careful if your phone suddenly goes no service.

            Post-paid plans, a phone number may be harder to steal (you need the phone plan ID) than prepaid phone numbers (you just need 1 form of ID, which 100 pts of ID if sent through email will have)

Login or Join to leave a comment
Login Join