Spotify is making some users reset their passwords — because other websites keep getting hacked.
The music streaming service recently sent out an email to some users prompting them to change their passwords “to protect your Spotify account.” Why? “Because we believe it may have been compromised during a leak on another service with which you use the same password.”
The reset was first reported by Motherboard, and you can see the complete email below.
Basically, Spotify has not been hacked. (That it knows of.)
But, because lots of people re-use passwords across multiple sites and services, if one of those other services is successfully hacked and user details are compromised, then hackers can use these login details to gain illicit access to accounts on other sites — like Spotify.
There have been numerous huge data breaches in the news recently, often dating from years ago, and affecting tens of millions of users — including LinkedIn, Tumblr, and MySpace.
So to protect its users, Spotify is forcing those whose details were exposed in some of these previous breaches to change their passwords.
“Spotify has not experienced a security breach and our user records are secure,” a spokesperson said in an emailed statement.
“We do however pay attention to breaches of other services, and take steps to help our users secure their Spotify accounts when those occur, because many people use the same login and password combination for multiple services. Therefore, when we hear that another online service has been hacked, Spotify’s security team will review sites (such as Pastebin and others) for leaked user credentials which might be used to access Spotify.”
Spotify isn’t identifying which particular breach has prompted this reset, saying only that “having become aware of such a security breach, Spotify’s security team identified that some of the leaked user credentials might correspond to Spotify accounts. As Spotify chooses to take a proactive approach to security, we have therefore reset all of the relevant passwords and sent the customers an email asking them to create a new one.”
In its emails to affected users, Spotify reassures them: “Don’t worry! This is purely a preventative security measure. Nobody has accessed your Spotify account, and your data is secure.”
Security experts recommend that you should never reuse passwords — instead using a unique, strong password for each website or service you have an account with, and saving them with a password manager if necessary.