Spotify, the streaming music giant with over 170 million monthly users, recently reported a phishing hack leading to users having their personal data stolen. The company had a virtually hack-proof system for users and their information. For example, users were never required to input information about payments, including credit cards, account passwords, or social security numbers. That also includes information about 3rd party vendors like Western Union, nor would they ever ask users to download anything, attached or otherwise in an email. Sounds responsible and safe, so how could Spotify fans have their secure data stolen? Hackers who live for the challenge found a way to do it with a new twist on an old theme.
The Spotify app has 75 million paid subscribers and an annual revenue of about $1.7 billion. The app also has a free version available. With Spotify not requiring any type of data input from its users, it was a mystery as to how the hack could even happen. User passwords and their user names were stolen, which led to hacks on other accounts Spotify fans used. Enter email phishing, a tried-and-true effective hack that took Spotify users by surprise. Users received a very authentic-looking email from “Spotify,” asking them to click on a link to confirm their account login information. The disguised email was to “remove any restrictions on your Spotify account” and also verify they were truly the account owner. Clicking on the link brought users to another legitimate-looking Spotify web page requiring user login data. Disguised as a responsible security move by Spotify, countless account holders fell for it. Clever, huh? Using the same login information for Spotify that they use for other online accounts gave hackers information and access to other user accounts. Here is where password reuse comes in.
It cannot be stressed enough to use unique credentials for each and every online account. And it’s for this very reason that it’s important. There are tools hackers use that can enter passwords automatically and very quickly that are very effective.
Like many of us, reusing sign-on information like user names and passwords for other accounts is a risk we know exists, but we keep our fingers crossed and hope for the best. Unfortunately, hackers took those Spotify logins and accessed other user accounts using the same logins. Arguably, that would not have happened if the link on the phishing emails was never followed to begin with. Email phishing has a way of exploiting victims using many tactics, including looking like the real deal. Fake websites and login pages that look so real, we don’t even question it could be a fake designed to steal your information.
Should someone open a real-looking email from a trusted source, if it is not expected, the number one rule is NEVER click on links or attachments. Aside from attachments being filled with malware that could infect your device, those emails are also designed to get our trust. Avoiding email phishing requires dedication to verifying the sender. Instead of clicking a link to a website, hover over it with your mouse pointer, or hold your finger on it for several seconds on your touchscreen device to see where it goes. If you’re sure it’s OK to go there, it still safer to type the URL in your browser. Links have a way of distorting what you think is real.
In addition to doing that, check for the secure lock icon to the left of the URL and you can also see if that site has a security certificate–a real security certificate. If any message appears claiming there is a problem with the security certificate, don’t go there.
Keeping safe from email phishing takes dedication, something Spotify users wish they had done.