Spotify hacked, user data stolen

The increasingly popular music streaming service Spotify has revealed that it was the target of malicious hackers at the end of 2008.

The Swedish based company issued a statement on its blog yesterday warning "along with passwords, registration information such as your email address, birth date, gender, postal code and billing receipt details were potentially exposed. Credit card numbers are not stored by us and were not at risk. All payment data is handled by a secure 3rd party provider."

Spotify claim credit-card details, which were handled by a third party, have remained secure.

The company recommends users change their passwords if they registered on or before December 19th, 2008 when the intrusion took place.

The service was originally launched in 2006 and allows users to access music for free. Tracks are streamed to users PCs and interrupted by advertising. The site offers an ad-free service for £10 per month.

Report a problem with article
Previous Story

Verizon asks if an iPhone would keep you from switching

Next Story

Microsoft launches Windows Live Messenger for Kids

21 Comments

Commenting is disabled on this article.

The article is actually a bit misleading. Firstly, they do state in the email that they sent to users that the "passwords" taken were just Salted Hashes of the users' passwords. A security risk nonetheless, but our passwords aren't available to the thieves, unless they have an enormous amount of time and processing power.

They've made another blog post since too, and they also state that the thieves would also have had to have queries your username to get your details. They don't just have a dump of everyone's data.

Don't get me wrong, they've screwed up big, and I'm annoyed that someone else has my details, but it's not as sensational as it's being made out to be.

I really hate the litigation culture we have today but in the past two years I have had:

- My personal details (including National Insurance Number) stolen from an unencrypted Ministry of Defence laptop which was stolen from a car.

- My personal details stolen in the Monster hack.

- My personal details stolen from Spotify.

If this keeps on happening then it's only a matter of time before I have my identity stolen and somebody runs up a huge bill in my name. Companies should be liable for damages if that happens and I certainly think there should be some kind of penalty for companies who allow this kind of thing to happen. The UK Data Protection Act says that data must be kept securely. If it can be hacked, then it's not secure and companies should be investigated for breaking the law.

tut metallithrax - us Brits *ALWAYS* have unencrypted Ministry of Defence laptops in our cars.

Bloody neowin, going downhill, windows (mutter), Apple (mutter), adblockers (mutter), Frontpage (mutter), using blue in the logo (mutter)

:D

Q:
* Why are password ever unencrypted?
* Why does a site ask for date of birth?
* Why does a site ask for gender?

A:
* Software should NEVER store important info unencrypted.
* IF the site has adult material, then i can understand wanting a DOB. This too should be encrypted
* I'm sure there CAN be a reason... but rarely.

My point, if a site is asking for info that it doesn't need... be aware.

Peace,
James Rose
New York, NY

jameswjrose said,
Q:
* Why are password ever unencrypted?
* Why does a site ask for date of birth?
* Why does a site ask for gender?

A:
* Software should NEVER store important info unencrypted.
* IF the site has adult material, then i can understand wanting a DOB. This too should be encrypted
* I'm sure there CAN be a reason... but rarely.

My point, if a site is asking for info that it doesn't need... be aware.

Peace,
James Rose
New York, NY

I agree with your first and last comments, but age is needed for COPPA registration if they allow younger users. It's law in many states/countries.

It was never hacked... They used a flaw in the protocoll where you could ask for a particual user and get some data back and among that was the password hash (which was salted and encrypted). Note that the "hacker" would have to KNOW the username he wants to get the hash from.

Hmm... Note that "passwords were exposed" is a bit of a stretch. Yes, I know it's a statement issued by Spotify themselves, but it was later clarified. Password HASHES were exposed, not the actual passwords. So if your password is resistant to brute-force attacks (i.e. something like 7+ letters where no part of the password can be found in a dictionary, including in reverse), you should still be safe. A hacker with this material would not know your password, but he would know when he guessed right.

As a Spotify user, I'm not really worried... To be at risk here, your particular user would also have to be selected for brute-force attacks, which is far from certain. And to be at risk, you should also of course have shared your Spotify password with other services.

So while this breach isn't very worrying to me (and I changed my password now just in case), I do agree that users should be notified earlier and don't really understand the delay here.

Although my spotify password isn't exactly strong, I still don't really care. The username, password and email address have only been used on spotify so no use to anyone else trying to get into my accounts elsewhere. If they login to my spotify account they'll only get a fake DOB as I saw no reason that spotify needed to know it.

CalumJR said,
I agree, that is despicable. They should notify users straight away like Monster did twice.

From the Spotify blog: "Last week we were alerted to a group that managed to compromise our protocols. After investigating we concluded that this group had gained access to information that could allow rapid testing of password guesses, possibly finding the right one. The information was exposed due to a bug that we discovered and fixed on December 19th, 2008. Until last week we were unaware that anyone had had access to our protocols to exploit it."

There's your answer.

Ohh... No Spotify is a excellent music service but i dislike that they are restricting other countries and i have to use it via proxy