The user information appeared in three different online data dumps on Pastebin starting on Monday. Each dump contained email addressed with their corresponding passwords for Spotify. For some accounts, home countries, account types, and account renewal information were also published.
According to Forbes, at least 80 of the individual account informatino was correct. Fifteen different users also confirmed that the leaked passwords were unique to Spotify.
The identity of the hacker or hackers responsible is still unknown. Two of the posts of user data were tweeted by @hacked_emails this week, and one post (since removed by the site where it was published), contained the following signature: This shit is leaked by yours truely [sic], Internet Protocols. One set of data leaked on Wednesday was similar to another leak of Spotify user info reported by Newsweek in November, while the two other dumps on Monday appeared more recent.
It is not yet clear how the Spotify account information was obtained. While a number of passwords were unique to Spotify, they could possibly have been obtained by hackers using a program to smash through different password combinations rather than from a hack of the Spotify system itself.
A spokesperson for Spotify said the following information about the leak.
Spotify has not been hacked. We monitor Pastebin and other sites regularly. When we find Spotify credentials, we first verify that they are authentic, and if they are, we immediately notify affected users to change their passwords.
However, reports suggest that Spotify has failed to let users know that their account information has been hacked.
To find out if your account info on Spotify or elsewhere has been compromised, you can search haveibeenpwned.com.