For the second time in a few months, Spotify has had to reset the passwords for user accounts. This time, Spotify passwords were reset by the company after user account info was exposed to some of the company’s business partners. It appears that the data was being breached as far back as April.
Spotify Passwords Exposed
At this point perhaps we should almost expect this for all accounts, as it seems that ultimately, nothing is completely safe. Certainly not social media accounts, but we’ve also seen it for all types of companies, big and small.
A data breach notification was filed with the California attorney general’s office. It explained that the data that was exposed “may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify.”
What is slightly more unnerving is that the filing also claims the music streaming service “did not make this information publicly accessible.” It’s unknown what companies could have had access to this information.
Still even more unnerving is the length of time the account info was exposed. The vulnerability was not discovered until November 12, yet it was found to have existed seven months prior, going back to April 9. It was not divulged how the account info became vulnerable.
The letter explained, “We have conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted.”
Adam Grossberg, Spotify’s spokesperson, confirmed the vulnerability. He said a “small subset” of Spotify users are affected but did not say how many accounts were in that subset. There are more than 320 million Spotify users and 144 million subscribers.
Spotify Accounts Affected Again
To protect its users’ information, Spotify reset user passwords. This is the second time it has had to do so in two months.
In November, security researchers discovered an unsecured database that was possibly operated by hackers. The database was said to contain around 300,000 users’ passwords and could have been used for credential stuffing attacks. These attacks match lists of stolen passwords against other websites that use the same password.
This is why you want to have unique passwords for your different accounts. If one password is stolen, and it’s the same password used for several accounts, it gives hackers access to all of those accounts.