If you’re among the 140 million users who enjoy streaming music from Spotify – especially if you are one of its 60 million paying customers for “premium” services – you might want to make sure you have a strong, long and unique password on your account. If not, you could be letting cybercriminals into your account.
Collective Labs’ Ryan Jackson came across a brute force hacking tool called Spotify Cracker v1 last month, which automatically cycles through known username and password combinations and breaks into Spotify accounts that use those credentials.
17-year-old Jackson, who reportedly has a history of involvement with hacking groups New World Hackers and Lizard Squad, (“while never participating in their antics”), told the International Business Times (IBT) that he found the tool on a private server on Discord – a popular, free online communications platform used primarily by gamers.
And given current Spotify login security protocols – the company doesn’t use CAPTCHAs or offer two-factor authentication (2FA) – it doesn’t meet much resistance. Without mechanisms to lock down an account after a certain number of incorrect password guesses, a brute force attack can simply keep guessing until it is successful.
Hackers can easily collect login credentials – email addresses and passwords – that have been compromised from other breaches and are available on dark web marketplaces, sometimes for free, and then plug in those credentials to find a Spotify account associated with them.
Jackson tried it himself. He found a collection of emails and passwords on Pastebin – the anonymous service that lets people host text for free – and said that it took him about 15 minutes to break into 100 accounts using the tool. He said someone could simply let the tool run all night and wake up to another 20,000 compromised accounts.
Spotify, based in Sweden, didn’t respond to a request for comment, but IBT reported that the company said it had not been breached and that, “our user records are secure.” A spokesperson added:
We do however pay attention to breaches of other services, and take steps to help our users secure their Spotify accounts when those occur, because many people use the same login and password combination for multiple services. Therefore, we review sites such as Pastebin and others for leaked user credentials which might be used to access Spotify.
The company didn’t respond to questions about whether any of those “steps” would include adding more robust security features to its login process.
Still, its lack of login security, even after Collective notified it about Spotify Cracker, has prompted some well-deserved criticism, such as the following tweet from high-profile security blogger Brian Krebs:
CAPTCHAs and 2FA aren’t cutting edge – they’re basic security hygiene that any company with 140 million users ought to have in place.
Until that changes, it’s up to users to protect themselves.
Which means making sure your password is complicated and robust, and not using the same one for any other online account. Here’s a quick video on how to pick a good one: