A number of Spotify users have reported receiving emails that suggest the music streaming service may have experienced a security breach, though the company has denied that any hack has taken place.

Rumor of the security breach started on Reddit when a user going by the name Keoft reported receiving an email from breach alert service Have I Been Pwned that warned emails and passwords may have been compromised.

According to Keoft, the breach was related to a Pastebin—a temporary and anonymous service that allows people to host text for free—document that contained “thousands of emails and passwords.” The Reddit user theorized the Pastebin information must have stemmed from a breach that affected Spotify.

After making the post, a number of other Spotify users on Reddit chimed in to say they recently experienced strange activity taking place on their accounts. “I was wondering if it was just me. I was hacked on the morning of the 22nd. They reset the email and the password. Spotify thankfully helped me recover,” one user wrote .

Another user said they received an email from Spotify alerting them that the email address associated with their account was changed. The email from Spotify also provided the user with a resource to contact to recover the account. “So that's why I can't login,” the Redditor wrote.

Despite the reports of suspicious activity being experienced by a number of Spotfiy users, the music streaming service has insisted that it did not experience a breach. “Spotify has not experienced a security breach and our user records are secure,” the company said in a statement provided to Digital Music News .

“We do however pay attention to breaches of other services, and take steps to help our users secure their Spotify accounts when those occur, because many people use the same login and password combination for multiple services,” the company said. “Therefore, we review sites such as Pastebin and others for leaked user credentials which might be used to access Spotify.”

It is possible—even likely—that Spotify has not experienced a data breach but accounts have still leaked online. That happens when users reuse the same usernames and passwords for multiple accounts.

Because of the number of breaches that have occurred in recent years, there are huge databases of login credentials for hackers to sift through. When a user has the same password for multiple accounts, it is possible for a breach to become more widespread than just affecting the site that was breached.

It’s also very common for subscription services to be a popular target for attackers. They are popular on dark web marketplaces, where they often sell for a fraction of the price of a legitimate account—though they come with no guarantees that the user won’t catch on and reclaim the account.

In order to avoid such situations, users are advised not to reuse passwords across multiple accounts in order to minimize exposure when breaches do inevitably happen.

Spotify does not currently offer two factor authentication—a login solution that provides an additional layer of security by requiring a secondary code sent a device associated with the user be provided in addition to the password—but it does allow users to login with a linked Facebook or Google account. Doing so does not give Spotify access to the user’s password on those accounts and can prevent a user’s password from being exposed.

RELATED STORIES
Security Google Spotify Security