Security nightmares with Spotify

As you might have read sites like Reddit a list of Spotify emails and passwords were posted online in a pastebin. I was one of the affected people in there and I had seen my account getting hijacked in front of me while listening to music on Spotify.

So I started researching what happened and narrowed down potential holes to the absolute minimum possible.

Facebook

You can sign up on Spotify using your Facebook account. It utilizes OAuth to get some information about you and then either signs you up or logs you in. It stores the following data about you: your e-mail address, your date of birth, your country and it creates a unique ID for legacy devices.

This means you don't have to use the regular username/password methods for logging into any of Spotify's official apps. You do need to create an app-password if you want to use Spotify on legacy devices that don't support the Facebook API for logging in.

The breach

The user from the reddit thread I just mentioned got an email from haveibeenpwned with the notification that his username and password for spotify were found on a pastebin. The pastebin itself is taken down already, else I would have already known how I was affected, but alas it wasn't that easy.

For some reason the moderators of r/Spotify did not pin the PSA on their subreddit, despite having so many people that might be affected by this. It also hasn't reached any news outlets, you can prove me wrong on that though because I didn't research that well enough to completely confirm.

My journey in securing my Spotify account

I did a few things in an attempt to secure my Spotify account intially:

• Facebook: Since Spotify uses OAuth through Facebook to sign in this was the first place I started to change. I changed my password to something more secure, I logged my facebook out to all the sessions and made sure my 2FA was still active. I didn't see anything suspicious on my Facebook account though.

It would be suspicious of someone somehow got access to my facebook account anyway, because of the 2 Factor Authentication I set up on the account.

• Spotify: I logged me out of all the sessions to make sure I had to start clean everywhere.

However these steps did not help. I started getting a bit paranoid and started getting the security of my e-mail account. Fortunately you can check the activity of your Microsoft account just like you can on Facebook. Same thing, nothing suspicious. I changed my password anyway and killed the sessions everywhere (yay gotta log in everywhere again).

No luck there either obviously. My e-mail account has no relation to my Spotify account and the only attack vector could've been Facebook, right?

The actual solution to the Spotify security nightmare

At some point I had set up a password for my Spotify account because I used a legacy device a few years ago and I still remembered it. I typed the password in at Password Security Info and this is what showed up:

So I thought, let's try out that password on my Spotify account using the unique ID which you can get by going to the device password section of your account on spotify:

I copied it, logged out of my account, pasted the ID and then typed my breached password in there and would you look at that. I got logged in! So that's how the perpetrator got access to my account.

So why couldn't I change my password through the account screen then? Well I used a Facebook account so any type of account recovery or password changes need to be done through facebook initally. If you try to initiate a password reset you get greeted by this helpful (/s) message:

So how did I actually get control of my account?

I set up a new device password. The device password is somehow the substitute for the Facebook account authentication.

The problem with the security at Spotify

The use of device passwords is no where mentioned in their support document at the time of writing this. In addition to that, their support took too long to reply to an account breach and the representative on the Twitter DMs was not able to help me at all and he just pointed me to a support document which I had already followed.

Spotify needs to be clear about the data they store and their password management needs to be more user friendly, especially towards people signed in using Facebook accounts. I got my account back again and I can listen to my music in peace now.

This post will be published on my medium page as well and they will link back to each other. Be sure to leave an upvote if this was interesting or if it helped you!