As the largest music streaming service in the world with 381 million active users and 172 million paying customers, Spotify is one of the main targets for hackers. Hundreds of Spotify accounts are hacked every day and leave their owners without access to their music and playlists they've curated.
In this article, you'll learn why and how hackers hack Spotify accounts, how you can protect yourself, and what to do if that ever happens.
Table of Contents
- Why Hackers Hack Spotify Accounts?
- How Hackers Hack Spotify Accounts?
- Is My Spotify Account Hacked?
- What to Do If My Spotify Account Is Hacked?
- How to Prevent Getting Hacked?
- Third-Party Websites and Apps
Why Hackers Hack Spotify Accounts?
Hackers hack Spotify accounts for several reasons.
Sometimes they hack Spotify accounts to sell them to other people. There are forums and marketplaces on the internet where such stolen accounts are traded and some people opt for purchasing these (cheaper) accounts instead of purchasing a genuine subscription.
Another reason Spotify accounts are hacked these days is to use them to fake streams.
Using an innocent person's Spotify account, hackers repeatedly play an artist's music to artificially increase stream numbers and drive revenue.
One notable recent case is rapper French Montana who has been accused of using this method to fake streams in an attempt to turn his flopped song into a hit.
How Hackers Hack Spotify Accounts?
There are many ways that hackers can break into your Spotify account:
The most common and easiest way for hackers to gain access to Spotify accounts is by trying the email addresses and passwords that have been leaked from other websites and services.
If you use the same email address and password for both Spotify and other services; and later any of those services is compromised, all hackers need to do is to try those leaked credentials on your Spotify account to gain access.
That's why it's super important not to share your passwords between multiple websites and apps.
You might have come across unofficial Spotify clients (desktop apps or Android APKs) that claim to give you access to premium Spotify features for free.
These apps are, however, almost always designed to steal your account info. Once you enter your email address and password, they'll steal them and send them to hackers.
Only install Spotify apps from spotify.com or official stores (like Goole Play and App Store).
A key-logger is a piece of software that hackers install on your computer and it enables them to see everything that you type. That includes not only your chats with your significant other, but your emails, passwords, and credit card numbers.
So make sure you regularly scan your computer for malware and never type your username and password on a computer that you don't own.
Cookies are small files that websites use to store small pieces of data on your browser. They are also used for storing your login information.
A hacker who has access to your computer can copy these files to their own computer and gain access to your account without even the need to know your email and password. This is especially easy to do if you install unknown extensions on your browser.
To prevent this kind of attack, never install untrusted apps and browser extensions and make sure to download them from official sources.
Sometimes hackers send you emails that look like they're from Spotify but in fact are fake and direct you to a malicious website (that again, looks very similar to spotify.com) and ask you to enter your email address and password.
If you fall for this trick and enter your credentials on these fake websites, you'll in fact send your account info directly to the hackers.
Read the rest of this post to learn how to protect your account against phishing.
Bruce-force means trying many words, numbers, and phrases with the hope of eventually guessing a password.
To protect against this attack, it's important that you choose a long, complex password and make sure that it doesn't contain words or names from English or your native language.
Is My Spotify Account Hacked?
If you see any of the following signs, then your Spotify account might have been compromised:
- The music you're listening to randomly stops or some other music starts playing
- Your recently played music looks wrong
- You see playlists that you don't recognize, or your playlists are lost
- Unfamiliar music is saved to your library or playlists
- You get emails from Spotify about logins that you don’t recognize
- Another Facebook account is connected to your Spotify account
- You cannot log in to your account
- Your email address is changed
- Your subscription is changed
What to Do If My Spotify Account Is Hacked?
If you can't access your account, contact Spotify immediately.
If you still have access to your account, you're in luck. Do the following steps immediately to get control of your account back from the hacker:
1. Reset Your Password
Use this form to reset your Spotify password.
Also, change the password for any service associated with your account such as your email or Facebook.
2. Sign Out Everywhere
Go to your Account page and click on the Sign out everywhere button.
3. Remove Unwanted Apps
Go to the Apps page and remove any third-party app that you no longer use.
4. Scan Your Computer for Key-loggers and Malware
And be sure to download them from a trusted website.
5. Uninstall Browser Extensions
Check your browser for any unknown or untrusted extensions and remove them.
6. Recover Your Playlists
If any of your playlists have been deleted, you can go here and restore them.
How to Prevent Getting Hacked?
It's easy to stop hackers from hacking your Spotify account if you follow these simple rules:
Do Not Use Unofficial Clients
These apps are almost always designed to steal your account. Don't be tempted by any false promises (like free Premium access) they might offer.
Do Not Share Your Spotify Account with Anyone
You might trust your friends or family members, but you can never be sure that they know how to keep your account secure.
Use a Strong Password
A strong password
is at least 12 characters long. The longer your password is, the better. Each additional symbol in a password exponentially increases the number of possible combinations. This makes passwords over a certain length essentially uncrackable, assuming you’re not using common phrases.
uses uppercase and lowercase letters, numbers, and special symbols. Passwords that consist of mixed characters are harder to crack.
isn't obvious. A good password needs to be something that’s really difficult for someone else to guess, so don’t go for anything really generic, like "password" or "12345".
isn't based on your personal information. It’s really important that you don’t use anything personal to you, like your nickname, date of birth or pet’s name. This is information is really easy for a hacker to find out simply by looking at your social media.
doesn't contain memorable keyboard paths. Don’t use sequential keyboard paths, like "qwerty", as it's very easy for hackers to crack them.
Use a Password Manager
You might think that the above rules are too complicated—and you're right. So what's the solution? Use a password manager.
Password managers are applications that can generate long complex unique passwords and keep them safe for you. They can also sync them across multiple devices like your laptop and mobile phones so that you can access them anywhere.
Do Not Use Shared/Public Computers
That means your friend or colleague's computer or at an Internet Café (if they're still relevant in your country). You can never be sure that they are clean of malware.
Do Not Reuse Passwords
This is one of the most important factors in keeping your account safe.
Websites and services on the Internet get compromised all the time and if you use the same password for multiple websites, you're at a big risk if any of them is hacked and their user data is leaked onto the Internet.
Pay Attention to Emails from Spotify
If you receive an email from Spotify that notifies you about a new login, and you haven't signed in on a new device recently, it's a big sign that your account might have been compromised.
Watch for Scam Emails
While you should take emails from Spotify seriously, be very cautious about fake emails that try to steal your account info.
Emails from Spotify always end with @spotify.com and they never ask for personal information, such as your password and payment info, or ask you to download anything.
Sign Out Before Selling Your Devices
If you plan to sell your Spotify-connected devices (like smart speakers), make sure to always sign out of Spotify before handing them to their new owner.
Third-Party Websites and Apps
What about third-party Spotify websites and apps. Are they safe to use?
The short answer is, yes. However, you must remember that they may be able to change things in your account if you give them permission to.
How Do Third-Party Websites and Apps Work?
Spotify allows other websites and apps to integrate with it. This makes it possible to offer new functionality and features that are not natively available in Spotify. Like volt.fm which gives you detailed stats and analysis over your listening habits.
To make this possible while keeping user accounts safe and secure, Spotify uses a standard called OAuth.
In this method, instead of entering your Spotify credentials on the third-party website, the user is redirected to the Spotify website or apps for authentication. After validating the credentials and getting the user's permission, Spotify allows the third-party app to connect to your Spotify account. This way, the third-party service never receives your password and you can revoke their access at any time.
As you can see in the picture above, there are three categories of permission that third-party apps can request:
1. View Your Spotify Account Data
This includes access to your account info like name, email address, and profile picture.
2. View Your Activity on Spotify
This includes viewing the music you're listening to, what you have saved in your library, and who you follow.
It's safe to give third-party apps this level of access to your account if you don't mind sharing these details with them.
3. Take Actions in Spotify on Your Behalf
This level of access allows the third-party service to perform actions like changing your currently playing music, saving songs to your library, and creating playlists.
You should only grant these permissions to services that you completely know and trust.
volt.fm asks for these permissions only when they are strictly required; like when you want to save your top songs as a playlist.
It's generally safe to give third-party services access to your Spotify account. They won't be able to "hack" your account, but based on the permissions that you give them, they may be able to perform some actions.
If you encounter a third-party service that's misbehaving, you can simply remove their access from the Apps page on the Spotify website.