Music streaming giant Spotify has notified an unspecified number of users that the company has reset their account password, but has left dozens of users asking why.
In an email, some Spotify users were told their password was reset “due to detected suspicious activity,” but gave no further details.
When reached, Spotify spokesperson Peter Collins said: “As part of our ongoing maintenance efforts to combat fraudulent activity on our service, we recently shared a communication with select users to reset their passwords as a precaution. As a best practice, we strongly recommend users not to use the same credentials across different services to protect themselves.”
In other words, Spotify says this is a credential stuffing attack, where hackers take lists of usernames and passwords from other breached sites and brute-force their way into other accounts.
We contacted several people who received the email reset message. Some used the same password across different websites and some used passwords unique to Spotify. Two people who commented on this Hacker News thread also said their passwords were unique, casting doubt on the veracity of a credential stuffing attack.
It’s not uncommon for companies to reset user passwords if they believe they are weak or easily guessed. Companies typically don’t store user passwords in plaintext. Instead, they scramble passwords using a hashing algorithm. By scrambling lists of weak or stolen passwords using the same algorithm, companies can match weak passwords against their own databases and proactively send out password reset emails.
Netflix, Facebook and Spotify too have all proactively reset account passwords in the aftermath of third-party data breaches by obtaining the data set and matching exposed passwords against their databases.
Spotify did not respond to our follow-up questions.
Customers of Chipotle, DoorDash and OkCupid have all reported account hacks in recent months. All three have denied data breaches.