this post was submitted on 23 Feb 2024
21 points (88.9% liked)

/c/cybersecurity - Cybersecurity News & Discussion

2111 readers
1 users here now

A community for technical news and discussion of cybersecurity and closely related topics.

founded 4 years ago
MODERATORS
 

So, yeah. Other than stated, Spotify does not provide 2FA (shame on them!), so I use a strong password and since years nothing happened.

This early morning I got multiple mails that my account was logged in from Brazil, from the USA, from India, and some other countries. There were songs liked and playlists created so it wasn’t a malicious e-mail but some people actually were able to log on to my Spotify account.

I of course changed the password and logged out all accounts and checked allowed apps, etc. and everything looks fine.

But I wonder … was there something that happened recently? The common sites to check such things do not list my old Spotify password, and a quick web research does not bring anything up.

Any clue what could have happened here?

top 5 comments
sorted by: hot top controversial new old
[–] kowcop@aussie.zone 2 points 8 months ago (1 children)

Is that account showing in haveibeenpwnd.com and if so, is the Spotify password the same as any of the sites showing in haveibeenpwnd

[–] Dirk@lemmy.ml 2 points 8 months ago* (last edited 8 months ago)

The mail address is shown for 3 data breaches. dailymotion 2016, Gravatar 2020, Myspace 2008. None of the passwords could possible match my Spotify password but I stopped using those services long before the breaches so I can’t tell 100%.

[–] BaumGeist@lemmy.ml 1 points 8 months ago (1 children)

Have you logged into/used spotify on any public networks or potentially compromised private networks (e.g. that friend who's really careless with what prograns they run)?

Any chances your device(s) itself has been compromised?

Did you link Spotify with any questionable websites?

Nowadays there's more than one way to hijack accounts, and a password/2FA isn't necessarily needed—e.g. session hijacking

[–] Dirk@lemmy.ml 1 points 8 months ago

Nope, no logins on devices I do not own. I have it on my smart home devices and on my cellphone. The phone is connected to carrier network and free access points from our public transport company and in the office WiFi.

I didn’t link Spotify anywhere. My devices are likely not being compromised. On my phone I use open source software where possible and only very little apps in general, and all network traffic is very restricted with NetGuard in whitelist mode. So someone else or me or my tools would have noticed any fishy things happening on that side.

I could not say where someone could get the two sessions (my smarthome system and my phone) from based on my usage either …

It’s all just very strange.

[–] EmperorHenry@infosec.pub 1 points 8 months ago

Regardless of what corporation it is. Always assume they got hacked.

Unless of course all their users' data is end to end encrypted, all with unique keys.

if a company like that gets hacked then it's like an intruder in an apartment complex, you got through the first door, now you need to break into each account one at a time.