SIM-Hijacking Spotify Account Takeover Scam
Criminals hijack a victim's mobile phone number through a SIM swap to intercept Spotify's SMS password-reset code, taking over the account and potentially accessing linked payment details or Spotify for Artists data.
Part of: SIM Hijacking and Mobile Account Takeover Scam
Last reviewed: 8 June 2026
Spotify allows account recovery via SMS verification sent to the registered phone number. For users who have linked their phone number to their Spotify account, a successful SIM hijack against that number gives an attacker a direct path to account recovery without needing the original password.
SIM hijacking is executed by tricking the mobile carrier's customer service team into issuing a new SIM card for the victim's number. The attacker uses personal details from data breaches to answer security questions convincingly. Once the swap completes, all SMS messages — including Spotify verification codes — are delivered to the attacker's device.
Spotify accounts belonging to active music creators who use Spotify for Artists are particularly valuable targets because they include streaming royalty banking details and distribution data alongside the standard subscription.
How this scam works on the Spotify brand
The sequence is similar to other SIM-swap-based account takeovers. The carrier is social-engineered into porting the number. The attacker then requests a Spotify password reset via the phone number option, receives the SMS, resets the password to one they control, and updates the account email to lock out the original owner.
For creator accounts connected to Spotify for Artists, the attacker then has access to the distributor banking details, analytics, and potentially the ability to alter payment routing — a risk that goes beyond simple subscription access.
Victims often first notice the takeover when they receive a Spotify email confirming a password change or email update, or when they find themselves unable to log in and the recovery flow sends messages to a number they no longer control.
Common red flags
- Your phone loses mobile signal unexpectedly without a clear reason.
- You receive an unsolicited Spotify password-reset SMS.
- A Spotify email confirms a password or email change you did not make.
- Your Spotify account shows playlist changes, listening history, or profile edits you did not perform.
- Your mobile carrier confirms a SIM swap was processed that you did not authorise.
- Spotify for Artists shows payout or banking detail changes you did not make.
How to protect yourself
- Contact your mobile carrier and ask for a SIM-swap protection PIN or port-freeze on your account.
- Enable Spotify two-factor authentication at spotify.com/account/security.
- Secure the email account linked to your Spotify with a strong unique password and authenticator-based 2FA.
- For Spotify for Artists accounts, regularly review payout and banking details in the Spotify for Artists dashboard.
- If you suspect a SIM swap, call your carrier immediately to reverse it and change your Spotify password once your number is restored.
- Review your Spotify account's active sessions at spotify.com/account/security and remove any unrecognised devices.
How to report it
- Contact your mobile carrier immediately to reverse the SIM swap.
- Report the account compromise to Spotify via spotify.com/us/contact-us/.
- Report the SIM hijack to the FTC at IdentityTheft.gov (US) or Action Fraud at actionfraud.police.uk (UK).
- If Spotify for Artists banking details were altered, contact Spotify for Artists support immediately and notify your distributor.
Frequently asked questions
Why would a scammer want my Spotify account specifically?
Spotify accounts have value as active subscriptions paid by the victim. Creator accounts linked to Spotify for Artists are especially targeted because they contain payout banking details. All accounts provide access to a linked payment method for plan upgrades.
Can I recover a Spotify account if my recovery phone number was used against me?
Yes. Once your carrier restores your phone number, use the Spotify forgot-password flow with your number. If the attacker also changed the email, contact Spotify support directly at spotify.com/us/contact-us/ and provide account verification details.
What should Spotify for Artists users do to protect payout details?
Use a non-phone-number-dependent authentication method for Spotify, secure your linked email with hardware 2FA, and regularly verify your payout details in the Spotify for Artists dashboard. Enable notifications for any payout detail changes if available in your distribution platform.