Spotify has become the latest service to be hit by “malvertising”, after a malicious advert pushed through the free tier of the music streaming site started opening “questionable” website pop-ups for some users. The attack was reported by multiple users on social media throughout Wednesday morning.

For most, it simply resulted in pop-up windows opening, but a few users reported attempted malware installations further down the chain. In response to a user question, Spotify confirmed the reports. The issue comes because most large sites sell advertising space through third-party resellers, who pull in code for the adverts on the fly based on an open auction.

Popular music streaming service Spotify is actively resetting a number of users' passwords. The company claims this is in response to data breaches of other websites, implying that the problem may be customers reusing passwords.

“To protect your Spotify account, we've reset your password. This is because we believe it may have been compromised during a leak on another service with which you use the same password,” an email sent to a user on Wednesday reads. “Don't worry! This is purely a preventative security measure. Nobody has accessed your Spotify account, and your data is secure,” it continues.