Music streaming giant Spotify has notified an unspecified number of users that the company has reset their account password, but has left dozens of users asking why.
In an email, some Spotify users were told their password was reset “due to detected suspicious activity,” but gave no further details.
Anyone else getting emails from Spotify about suspicious activity? No compromise, at least not on my account, just seems to be getting hammered
— Chris (@Barsbeh) May 16, 2019
Suspicious activity detected on my Spotify account. 🤷🏻♀️
— NK (@NonoGerrard) May 21, 2019
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Spotify just reset my password due to 'suspicious activity'. Did someone hack in to listen to Justin Bieber or something?
— P13 (@apaulothirteen) May 16, 2019
When reached, Spotify spokesperson Peter Collins said: “As part of our ongoing maintenance efforts to combat fraudulent activity on our service, we recently shared a communication with select users to reset their passwords as a precaution. As a best practice, we strongly recommend users not to use the same credentials across different services to protect themselves.”
In other words, Spotify says this is a credential stuffing attack, where hackers take lists of usernames and passwords from other breached sites and brute-force their way into other accounts.
We contacted several people who received the email reset message. Some used the same password across different websites and some used passwords unique to Spotify. Two people who commented on this Hacker News thread also said their passwords were unique, casting doubt on the veracity of a credential stuffing attack.
It’s not uncommon for companies to reset user passwords if they believe they are weak or easily guessed. Companies typically don’t store user passwords in plaintext. Instead, they scramble passwords using a hashing algorithm. By scrambling lists of weak or stolen passwords using the same algorithm, companies can match weak passwords against their own databases and proactively send out password reset emails.
Netflix, Facebook and Spotify too have all proactively reset account passwords in the aftermath of third-party data breaches by obtaining the data set and matching exposed passwords against their databases.
Spotify did not respond to our follow-up questions.
Customers of Chipotle, DoorDash and OkCupid have all reported account hacks in recent months. All three have denied data breaches.
How two-factor authentication can protect you from account hacks
