Song streaming bigSpotifyhas notified an unspecified change of customers that the firm has reset their sage password, but has left dozens of customers asking why.
In an email, some Spotify customers had been instructed their password used to be reset “attributable to detected suspicious job,” but gave no additional tiny print.
When reached, Spotify spokesperson Peter Collins said: “As part of our ongoing repairs efforts to strive in opposition to untrue job on our service, we lately shared a communication with score customers to reset their passwords as a precaution. As a simplest prepare, we strongly imply customers no longer to make employ of the same credentials across utterly different companies and products to supply protection to themselves.”
In utterly different phrases, Spotify says here’s a credential stuffing attack, where hackers hold lists of usernames and passwords from utterly different breached sites and brute-power their methodology into utterly different accounts.
We contacted several folks that obtained the email reset message. Some used the same password across utterly different websites and a few used passwords queer to Spotify. Two folks that commented on thisHacker News threadadditionally said their passwords had been queer, casting doubt on the veracity of a credential stuffing attack.
It’s no longer irregular for firms to reset particular person passwords in the occasion that they specialise in they are outmoded or without complications guessed. Companiesin generaldon’t retailer particular person passwords in plaintext. In its place, they stride passwords using a hashing algorithm. By scrambling lists of outmoded or stolen passwords using the same algorithm, firms can match outmoded passwords in opposition to their possess databases and proactively send out password reset emails.
Netflix, FacebookandSpotifytoo bear all proactively reset sage passwords in the aftermath of third-birthday celebration knowledge breaches by obtaining the files space and matching uncovered passwords in opposition to their databases.
Spotify did no longer reply to our prepare-up questions.