The personal information of hundreds of Spotify customers appeared on the website Pastebin over the weekend, according to a TechCrunch report.
Spotify, however, says that it has not been hacked, prompting some experts to wonder if the latest incident involves data stolen during a previous security breach.
The account credentials shared on Pastebin over the weekend include emails, usernames, passwords and account type. Many of the users TechCrunch reached out to confirmed they have recently experienced a breach to their account.
Spotify has had security issues in the past. In November, more than 1,000 Spotify email addresses and passwords were leaked. The company also suffered a security breach in 2014.
Spotify maintains that this is not a new incident. In a statement released on its website, the company said, "Spotify has not been hacked and our user records are secure. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords."
But some Spotify customers reported that their accounts were used and changed by unknown third parties over just the past few days. It appears that the parties are actually using the victims' Spotify accounts rather than simply stealing credentials for other uses.
"For anyone using Spotify, or a similar digital music subscription service, it is critical on a daily basis to monitor any financial account tied to those services for the slightest hint of fraudulent activity—not just in the wake of a breach," said Levin.
For companies previously affected by a hack, it’s worth noting that a data breach can have a recurring impact. Once the data is stolen, it can continue to show up in various places or be used for an undetermined amount of time, inflicting a potentially indefinite amount of damage.