I think I’ve said on some occasion before A few years ago they tried to “steal” my Spotify account (and they succeeded for an hour). It was mid-January, it was getting dark and I was already driving home after a day’s business. Right now I can’t remember if I was also using Apple Music at the time or if I was still just on “Spoti”. The fact is, I was listening to one of my playlists when suddenly the session was logged out.

I drove and it took me half an hour (maybe a bit more) to get to the town where I lived at the time, park and drive home. On the way home from the car I tried to log in again on my mobile but it didn’t work and when I got home I found that someone got my credentialslogged in, changed the associated email account and password, and logged out of all devices it was open on.

Of course I immediately contacted Spotita support and, I will always say this, their performance was five stars. They responded immediately, asked me a few security questions, and within minutes They have already restored access to my account. Security bug? 100% my responsibility, because this set of credentials (username and password) was recycled, that is, I already used it in other services. Among them at Yahoo!’s email service, which has suffered two major breaches in the past decade.

However, I said the responsibility was 100% mine, but in reality I think it is shared. Part of the blame was on Yahoo for the lack of data protection and maybe 5% was attributed to Spotity not having a more secure login system. Fortunately, that seems to be about to change because, as documented by some users on Reddit, Spotify is introducing two-factor authentication.

At least for now, they only offer a way to receive a one-time code by email, which we will have to enter after logging in with our credentials. As I say, it’s not the most secure 2FA method in the world, because if our email account was compromised, a potential attacker would have access to said unique codes. However, compared to the current situation, it represents a great advance. Another thing of course is to wait until they implement more ways for the second step, we recommend an app like Authy, Google Authenticator or similarly, or even better, skip to Passkey. But hey, now they’ve made an important step worth celebrating.