Something weird is going on with my mother-in-law Missy’s Spotify account.
According to Spotify Wrapped, the service’s personalized year-end analysis of listening habits, her most-streamed artist was Canadian rapper Tommy Genesis. She had never heard of Tommy Genesis and didn’t recognize any of her songs.
Missy suspected someone else was using her account, and she’s not the only one.
Ethan Adams,
from Ayer, Mass., noticed new playlists he didn’t create and mystery songs added to his own playlists in his Spotify account earlier this year. When the Wrapped roundup claimed Polo G was his second-most-streamed artist, Mr. Adams wondered: Polo who?
Earlier, Mr. Adams had received an email from Spotify about a login he didn’t recognize. He used the “Sign out everywhere” tool in the app’s account settings page and changed his password to make sure the intruder couldn’t get back into his account.
Spotify user Ethan Adams suspected something was awry when Polo G—an artist he’d never heard of—was one of his year’s most-streamed artists.
Photo:
Ethan Adams
Who are these phantom users? A Spotify spokeswoman said the company couldn’t say and can’t speak to the particular motivations of unauthorized users. It does encourage all users to create unique, strong passwords. It also recommends logging out on shared devices no longer in use—for instance,
Sonos
speakers in a vacation rental. Spotify doesn’t offer two-factor authentication, an extra layer of login protection offered by most major services such as
META 2.82%
and Google. Because of this, reusing passwords that might have leaked on the internet could put your account at risk.
Think you’ve got an account moocher on Spotify,
Netflix
NFLX 0.10%
or another service? There’s a way to find out, or at least boot off anyone who may be lingering.
Many popular services including Netflix,
Amazon
AMZN -0.67%
and
Apple
AAPL -1.46%
show a list of devices connected to your account. Regularly vetting these logins is a good security practice, said
Adam Marre,
chief information security officer at cybersecurity firm Arctic Wolf.
Other than screwing up your recommendation algorithms, unauthorized users could change your account credentials to lock you out. On some services, they could even steal sensitive information, such as your credit-card number or home address. If you see activity you don’t recognize, opt to sign out everywhere and reset your password.
These freeloaders might also begin to incur costs on your monthly bill. Netflix is trying out a payment structure for out-of-household users in some countries in Latin America, and said a similar system could launch in the U.S. next year.
Whether a hacker used a leaked password or your logins are just making the rounds of old roommates and friends of friends, you should spot unauthorized users and keep them away.
Check Where You’re Logged In
Spotify: The music-streaming service doesn’t show detailed information for logged-in devices like other services do, but you can see devices that recently accessed the account. In settings, select the Devices menu, then check Recently played—the clock icon in the top right corner—for suspicious activity.
If you see anything you don’t recognize, log in to Spotify.com on the web and use the “Sign out everywhere” button in account settings to log out of connected smartphones, tablets, desktop or web players. (You won’t find the option in Spotify’s mobile apps.) This universal log-out tool doesn’t sign you out of other types of devices, such as game consoles or smart speakers. You’ll need to go to Spotify’s separate third-party apps page to revoke access.
You can access Spotify’s ‘Sign out everywhere’ tool in the account settings section of Spotify.com.
Netflix: After signing into Netflix on the web or the mobile app, navigate to account settings. Under Security & Privacy, click on Manage access and devices. There you’ll see all recently active devices, each device’s location and the selected profile. Go back to the main account settings page to sign out of all devices.
Disney+: You can’t see which devices are logged into your account, but you can sign out of all devices from the app. Tap your profile avatar, then Account, then log out of all devices.
Apple: See which devices are connected to your Apple ID on your iPhone by going to the Settings app, then tapping your name to see a list of laptops, tablets, speakers and streaming devices where you’re logged in. Tap any product name to remove it from your account. You can also see the same list of logged-in devices on a Mac, under System Settings (System Preferences in older MacOS versions) or on the web through iCloud.com.
Amazon: Go to your Amazon account settings, then click Manage your content and devices. Here, you can deregister your Amazon account from devices where you’re currently signed in. Amazon doesn’t show you sign-ins made through web browsers, though. And there’s no simple “sign out everywhere” option. If you think your account has been compromised, start a chat with Amazon’s support team to ensure you’re signed out of all locations.
Google: From Google.com, click on your profile picture in the top right corner, then select Security. Scroll down to see devices and locations where you’re signed in. Click on each device to sign it out.
Instagram: In the app, go to your profile (bottom right), then the menu (top right), then Settings. Tap Security, then Login Activity to see where you’re logged in. Tap the three dots next to each device to log out.
Facebook: In Facebook account settings, go to Security and login to see the devices and locations where you’re signed into Facebook. Tap the three dots next to each device to log out.
Prevent Unauthorized Users
Don’t reuse passwords. Hackers can acquire troves of passwords from data breaches, and they try the credentials elsewhere, knowing that many of us reuse passwords. (Another reason why it’s important to use strong, unique passwords.) You can check whether your password has been leaked at HaveIBeenPwned.com. Password managers can help.
Turn on two-factor authentication. Not all services offer this important form of security, but you should have it active for all the ones that do, including Apple, Google, Amazon, Facebook and Instagram. The best ones include various secure options, not just the typical text-message code.
SHARE YOUR THOUGHTS
Have you suspected an unauthorized user of accessing your account? What did you do? Join the conversation below.
Wipe your devices before selling or donating them. Prevent phantom logins by properly signing out of your accounts before handing over an old device. My colleague Cordilia James has a great guide on what to do before getting rid of an iPhone or Android phone.
Beware of phishing email or text scams. Hackers commonly use emails or texts to bait you into clicking on a link that looks like a service’s login page. Instead, you’re handing your credentials right over to hackers. One scam targeting Netflix users was so widespread the company set up a help page dedicated to combating it. Instead of clicking on links from texts or emails, go directly to the service’s website.
Sign out of your accounts on shared devices. Make sure to sign out of your streaming account after visiting a hotel or
Airbnb.
You don’t want future guests interrupting your next movie night—most services limit the number of simultaneous streams. Better yet: Bring your own streaming device while traveling.
—For more WSJ Technology analysis, reviews, advice and headlines, sign up for our weekly newsletter.
Write to Nicole Nguyen at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.
