How I Lost Control of My Spotify Account
And How To Prevent Unauthorised Access to Yours
Monday morning. Bag down, headphones on, ready to get to work. But first some music.
Please enter your username and password.
Hmmm, I don’t remember the last time Spotify asked me that.
Sigh. I guess I’ll have to reset.
Password reset email sent.
Why am I not getting a password reset email?
Maybe I signed up with my Facebook account?
Welcome to Spotify, would you like to take a tour?
That’s weird, it thinks I’m a new user…
It took me surprisingly long to figure out why I couldn’t access my Spotify account. Someone had managed to log themselves into my account, and had replaced the email address on the account with their own. Luckily it was a premium account, so even though it took several days and a few emails back and forth, the Spotify support team reset my account and restored the playlists I had lost.
But why would anyone want to hack into my Spotify Premium account?
Surely no one hates ads so much that they would hack into someone else’s account to get rid of them rather than paying the monthly fee?
Months after this happened and I had forgotten all about it, I read this article about Spotify’s royalties model which revealed a motive:
All a fraudster has to do is set up a fake artist account with fake music, and then they can use bots to generate clicks for their pretend artist. If each stream is worth $0.007 a click, the fraudster only needs 1,429 streams to make their $10 subscription fee back, at which point additional clicks are pure profit. But… it’s possible to purchase stolen premium accounts on the black market, making the scheme profitable almost immediately.
So someone got control of my Spotify account, and was using it to play their own ‘music’ on repeat to extract royalties from the system. It turns out that it’s possible to make up to $600 monthly per account this way. But how did they get into my account in the first place?
This is where I have to admit that even though I’ve been interested in computer security for a long time, I’ve been lazy for a much longer time, and sometimes I reuse passwords. I know, I know… When I first set up my Spotify account I used a password I had used before. I didn’t bother changing it when I upgraded to premium.
It turns out that one of the things I had used that same password for was to sign up for an Adobe Photoshop trial. Oh and, in the meantime, Adobe got hacked and the details of 153 million accounts leaked. Oops.
So I’m guessing that some ethically compromised, entrepreneurial faux-artist out there realised that people would reuse their Adobe passwords for other things and checked all the hacked details to see if they could log into Spotify with them. And my account was one of those.
Stop reusing passwords. Seriously! Stop it. Right now.
After this happened I read up a bit on best practices for personal online security, and wrote up a short summary of the easiest things with the greatest impact. You can read it here.
Thanks for reading, I hope you’ve found this useful. Please recommend and share so others can read this too. Leave a comment or response if you have any tips to share! Now, I have some passwords to change…