The 2020 Spotify Breach: A Wake-Up Call to Conduct App Privacy Audits

The Spotify incidents of 2020 revealed data privacy vulnerabilities.

Spotify had a bad year in 2020. Despite experiencing growth in total users, the company operated at a loss and experienced two different security incidents in a matter of weeks.

These security breaches affected up to half a million accounts. Celebrity profiles were vandalized with political messages. December 2020 was a rough month for the company, but also for Spotify users (artists and listeners alike).

What made these breaches particularly instructive wasn’t just their scale or their rapid succession. It was what they revealed about the nature of digital security in an interconnected world. When attackers accessed Spotify accounts, they didn’t need to break down Spotify’s front door. They walked in using keys stolen from somewhere else entirely.

The Spotify incidents of 2020 demonstrate a critical truth: waiting for companies to protect you isn’t a security strategy. Regular, active audits of your app privacy settings are no longer optional. They’re essential.

What happened at Spotify in 2020: A timeline of two breaches

Attack #1: Credential stuffing attack

Late November 2020 brought the first wave of trouble. Between 350,000 and 500,000 Spotify accounts fell victim to what security experts call credential stuffing.

Attackers had obtained a database containing login credentials—over 100,000 account details, according to security researchers. Importantly, these weren’t stolen directly from Spotify. They came from breaches at other services. Once acquired, they were systematically tested against Spotify accounts. The scammers were basically taking a bet on the fact that people reuse passwords. The bet paid off.

The exposed information included email addresses, usernames, passwords, and account types. But here’s what made the incident particularly concerning: the exposure risk had existed since April 9, 2020. Spotify didn’t discover it until November 12—more than seven months later!

Attack #2: The celebrity hack

A week after the credential stuffing attack, things got weirder at Spotify.

Someone calling himself “Daniel” compromised several high-profile artist accounts. He replaced profile information with demands that people follow him on Snapchat, signing his messages with “Trump 2020.” He also declared his affection for Taylor Swift. Some artist profile pictures were swapped out entirely, replaced with images of Swift herself.

Users documented the vandalism across social media platforms, and the incident demonstrated that even verified, high-profile accounts remained vulnerable to this kind of attack.

The technical breakdown: How these scams happened

Let’s take a closer look at credential stuffing.

Unfortunately, humans tend to have some pretty predictable habits. Credential stuffing simply exploits a human tendency to reuse passwords. Millions of people use just one password across all of their logins, or they use just a handful of passwords. It’s quite rare for people to successfully use a different password for every log-in. This is true despite how easy it is to use a good password manager.

This means that when one service suffers a breach, attackers can harvest those credentials and test them everywhere else. They use automated tools to try stolen username-password combinations across thousands of websites. The attacks don’t require sophisticated hacking. Rather, they just need to have patience and computing power.

In Spotify’s case, attackers used what researchers identified as a malicious database containing more than 100,000 account details likely obtained from another source entirely. The credentials worked because users did what users do–they had recycled their passwords.

Password reset notifications appear on a smartphone screen, illustrating Spotify’s swift response to the November 2020 credential stuffing attack.

Spotify’s response and lessons

Once Spotify discovered the November credential stuffing attack, the company moved quickly. Password resets went out to all affected accounts, immediately invalidating the compromised credentials. Spotify also worked to have the fraudulent database removed by the hosting provider.

These responses were appropriate, even necessary. But why did it take so long to take action? Seven months passed before anyone noticed the vulnerability. That means seven months passed, during which user data sat exposed.

Users received notifications about the incidents, and Spotify recommended they visit “Have I Been Pwned” to check whether their credentials appeared in other breaches. You can also use WhatIsMyIPAddress.com’s Data Breach tool to find out if your email account has been compromised.

Why the Spotify breach should matter to everyone–not just Spotify users

If you’re not a Spotify user, you might be tempted to look at the privacy breach at Spotify and think, “So what? They didn’t get my data, since I don’t have an account there.”

The problem with that kind of thinking is that data breaches can have a domino effect. A breach at one service becomes ammunition for scammers to attack other apps, platforms, and services. The Spotify credential stuffing attack didn’t start at Spotify. It started somewhere else, maybe even years earlier! Chances are, if the affected users found out what account was originally breached, they might not even remember using that account or service!

If you’re using the same password for Instacart as you used for a random website forum that you joined in 2015, you’re at risk. If your bank password is the same as your Facebook password, you’re definitely at risk. And if you have been using the same password for 20+ years, then you’re really, really, REALLY at risk!

Attackers are using those email/password combinations, testing them against new platforms. Old breaches never stop mattering.

A person reviews a smartphone screen showing connected apps and third-party services, the first step in a proper privacy audit.

The takeaway: Regular privacy audits are essential

The Spotify incidents of 2020 teach us that passive security doesn’t work. Creating a strong password when you sign up, then never thinking about security again? That’s not a strategy. It’s just wishful thinking.

What does work is a regular, systematic review of your privacy settings and connected services. Not once. Not “someday when I have time.” Regularly.

What a privacy audit looks like

A proper privacy audit involves several distinct actions:

Review connected apps and third-party services that have access to your account. Many users would be surprised to discover how many services they’ve granted permissions to over the years.
Check what data you’re sharing. Most platforms offer granular controls over what information is public, what’s shared with partners, and what remains private. Default settings often favor maximum sharing.
Examine account activity logs. Look for logins from unfamiliar locations or devices. Check for actions you don’t remember taking.
Update security settings. Enable every security feature available, particularly two-factor authentication.

Practical steps for Spotify users (and everyone else)

Creating an audit routine doesn’t require technical expertise, but it does require consistency. If you conduct these checks over the next year, and then implement this schedule yearly, you will be far more protected from data breaches.

Monthly quick checks:

Take note of any unusual account activity
Look for any new connected apps you don’t recognize
Review your recent login locations
Make any necessary privacy settings changes

Quarterly deep dives:

Conduct a full review of third-party permissions
Verify all security settings
Update passwords for high-value accounts (banking, healthcare, email, social media, etc.)

Annual comprehensive audits:

Review your privacy settings across all apps and services
Delete accounts you no longer use
Update your recovery information
Check for data breach notifications

To make this happen, you can set calendar reminders, prompting you to get the work done. These tasks don’t usually take very long to complete, but they do take some effort and, again, consistency.

Tools and resources for protecting yourself from data breaches

The WhatIsMyIPAddress.com data breach tool
Password managers that generate and maintain unique, strong passwords for every account
Two-factor authentication adds a critical second layer. Even if someone obtains your password, they can’t access your account without also having your phone or authentication device.
Most major platforms now offer privacy checkup tools that walk you through settings systematically. Use them.

Taking control of your digital security

The 2020 Spotify incidents weren’t unique. Similar breaches happen constantly, across industries and platforms. What makes them instructive is how clearly they illustrate the limits of relying solely on corporate security measures. You can’t trust that a corporation is going to keep you safe from data breaches. In fact, their practices sometimes make things worse.

Spotify responded appropriately once they discovered the issues by resetting passwords, contacting partners, and taking down fraudulent databases. But seven months had passed, leaving users’ accounts vulnerable to a takeover.

Regular privacy audits put you in control. They transform security from something that happens to you into something you actively manage. They won’t prevent every breach—no individual action can. But they dramatically reduce your exposure and accelerate your response when problems do occur.

You don’t need to wait for the next notification email to arrive, informing you that your data has been compromised. Audit your settings today. Then, next month, do it again. In our world, where breaches at one service threaten accounts at dozens of others, proactive security isn’t paranoia. It’s common sense.