Spotify has denied it has been hacked, after the credentials of hundreds of users of the streaming service, including emails, usernames and passwords, are understood to have been posted to Pastebin. Mark James commented on this news below.
Mark James, Security Specialist at ESET:
Can Spotify be 100% sure they haven’t been hacked?
“It’s extremely hard to be 100% certain they have not been breached, unless they have actual evidence of the breach while it’s happening or clear logs indicating the breach, all they can do is study the “leaked” information and verify its authenticity. It should be relatively easy to verify, the information should be quite unique for that industry and it would be clear soon enough if it is legitimate. There are many ways data can leak, malware centric or even employee leaked, it’s quite possible that this is old data that has resurfaced.”
Is it possible that the details are from a previous attack and the users simply haven’t changed their credentials?
“Yes absolutely, if users are unaware of breached data or do not understand the severity of data breaches they may not change any login credentials, data can sit dormant for weeks, months or even longer waiting for all the “hype” to die down, then it’s a case of checking the information and using anything that’s still valid. Users may even wait for suspicious activity around breached accounts before they change usernames and or passwords. Data breaches are becoming more common and affecting larger companies, these days you are in the minority if your data is not exposed for all to see in some form or another.”
What should users do?
“Users must get into the habit of changing passwords regularly, all too often users wait until a breach happens then go and change everything. In most cases the bad guys have already found, identified and used your data so it’s already too late. If you get into the habit of changing passwords at regular intervals then it makes little difference if some of your data is leaked because it’s already invalid. It won’t, of course, stop someone from using it for identity theft purposes but we need to stop making it easy for them.
Regardless of whether these are details from a new breach or not, I would strongly suggest that all Spotify users change their passwords immediately and keep a lookout for any targeted phishing attempts using that data.”