Updated | Over one thousand email addresses and passwords from the music streaming app Spotify were leaked following a hack attack last week, according to multiple victims who confirmed with Newsweek.
Newsweek verified the details of the hack with nine individuals whose email addresses were posted publicly on November 2. One victim claimed he was locked out of his account for three days.
Another victim says he tracked his compromised email to an address hosted in Russia. Russia has been a hacker haven for those who collect personal records in the past decade. One Russian hacker ring reportedly amassed over 1.2 billion username and password records last year, according to The New York Times .
Several victims of the attack told Newsweek that Spotify did not inform them that their accounts were compromised. Some only heard back when they reached out to Spotify themselves after realizing their accounts had been hacked.
“I honestly had no idea this was a problem affecting multiple users,” says one victim to Newsweek in an email. “The messaging from Spotify appeared to imply mine was an individual case.”
It is unclear who hacked Spotify or why the hacker decided to leak personal data—also called doxxing—publicly. In many doxxing cases, hackers leave a preamble explaining their motivations on their attacks. The Spotify hacker left little to no traces.
In the past eight days since the dox, Spotify had no blog posts or public announcements informing its 20 million subscribers that some accounts have been leaked.
In an email to Newsweek, Spotify provided a statment, denying there was a hack in their system.
"Spotify has not been hacked and our user records are secure," reads the statement. "The compromised credentials come from a well known past leak on another service.
"Many people use the same credentials for multiple services and we urge anyone who thinks his or her information was compromised to change passwords. We regularly look for leaks on other services and match account names with our own so we can advise users to change passwords that may have been compromised."
If you believe you were hacked in this attack on the streaming app, check out haveibeenpwned.com or email Spotify directly.
The article was updated to include Spotify's statement.