What specific data breaches or leaks has Spotify experienced and when did they occur?
This fact-check may be outdated. Consider refreshing it to get the most current information.
Executive summary
Spotify has repeatedly been affected by credential-stuffing campaigns and partner-data exposures rather than — in some cases — direct platform-wide intrusions. Reported incidents include an unsecured Elasticsearch database used in March 2025 that left >300,000 accounts vulnerable (database described as ~72 GB / ~380 million records) and a separate customer-data exposure to third‑party business partners disclosed in April 2025 that prompted password resets after the issue had persisted for months [1] [2].
1. Credential stuffing and the 300,000+ account incident — what happened and when
In early 2025 security researchers found an unsecured Elasticsearch database containing roughly 72 GB of data and more than 380 million records that was used to validate credentials against Spotify; vpnMentor and other researchers said the logging targeted some 300,000+ Spotify accounts and led Spotify to force password resets for affected users (reported March 2025) [1] [3] [4]. Multiple outlets framed this not as a compromise of Spotify’s internal systems but as credential stuffing: attackers reused credentials leaked from other breaches to access Spotify accounts [5] [6].
2. Repeated credential-stuffing pattern and company response
Researchers and vendors documented multiple credential-stuffing waves hitting Spotify across late 2024 into 2025: the tactic relies on leaked credentials from other services and typically does not indicate that Spotify itself was breached internally, according to Spotify statements cited by security sites [5] [6]. Spotify’s standard response in these episodes included mandatory password resets for affected users and takedown requests for the public databases used in attacks [6] [4].
3. Third‑party partner exposure disclosed April 2025 — scope and timeline
In April 2025 Spotify notified California authorities and users that some account registration information had been exposed to certain third‑party business partners; the company said the issue was discovered and fixed after seven months and that it issued password resets for impacted accounts [2]. Reporting described this as a separate customer-data exposure (email, display name, password, gender, date of birth “only to certain business partners”) rather than a mass data dump from Spotify’s own servers [7] [2].
4. Broader location-data incidents that included Spotify as a data source
Independent breaches of data brokers in late 2024/early 2025 reportedly leaked location histories and other telemetry that involved many apps’ users — including Spotify’s — because brokers collect app usage data across thousands of titles. Reporting said these broker breaches (at companies such as Gravy Analytics and Mobilewalla) exposed terabytes of location data affecting millions and implicated Spotify only as one of many app brands whose users’ data may be present in those broker datasets [8] [9]. That is a supply‑chain/data‑broker exposure, not necessarily a direct Spotify systems breach [8].
5. Incidents involving public playlist compilation and “Panama Playlists” — privacy vs. breach
Summer 2025 reporting surfaced services compiling public Spotify profiles and playlists for prominent figures (the so‑called “Panama Playlists”), which journalists framed as a privacy lapse tied to Spotify’s default public settings rather than a technical break‑in of Spotify systems. Multiple outlets noted the content came from publicly accessible playlist data and user settings rather than a platform compromise [10] [11]. Available sources do not claim Spotify’s internal security was breached in that specific episode [10] [11].
6. Disagreement among sources and Spotify’s repeated qualifier
Security outlets repeatedly quote Spotify’s position that credential-stuffing incidents “were not the result of any breach of Spotify’s security,” emphasizing reused credentials from other breaches as the root cause [5] [6]. Other reporting treats the outcomes — exposed emails/passwords, forced resets, partner leaks — as de facto data‑exposure incidents even when Netflix‑style internal compromise was not alleged [3] [2]. Readers should note the distinction reporters draw between “data exposures due to third parties or reused credentials” and “internal platform breaches.”
7. What the sources do and do not report — limits of current coverage
The assembled sources document credential‑stuffing incidents (March 2025 cluster), a partner‑exposure disclosed in April 2025, and app‑ecosystem broker leaks that may include Spotify user telemetry [1] [2] [8]. Available sources do not provide a comprehensive, single chronology of every Spotify-related leak across all years; they do not confirm Spotify experienced a large-scale internal breach that directly released its backend user database in these specific 2024–2025 reports [5] [6]. If you need every historical incident beyond what these reports cover, available sources do not mention a full list.
8. Practical takeaways and stakes
Security researchers and vendors recommend unique passwords and multifactor authentication to blunt credential-stuffing attacks; Spotify’s forced resets and partner‑notification actions mitigate some immediate risks but leave broader privacy questions about third‑party data sharing and data brokers unresolved [5] [2] [8]. Journalistic coverage shows the dominant pattern in 2024–2025 was account takeover via reused credentials and partner or broker exposures — not a single, definitive Spotify-originated mass database leak in the cited reporting [5] [1] [2].