Spotify has reset an undisclosed number of passwords after accidentally exposing user data.
The company filed a data breach notification with the California attorney general’s office to alert the state. The music streaming company says the exposed data may have included ’email addresses, display name, password, gender, and date of birth.’ So who got access to all this information? Spotify says “only certain business partners” without naming them specifically.
The software vulnerability that was exploited existed as far back as April 9. It was not discovered until November 12, but Spotify did not say when data became exposed.
“We have conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted,” the letter says.
A Spotify spokesperson has confirmed the issue affects a “small subset” of Spotify users. Spotify has declined to name how many of its 320 million users or 144 million subscribers, may be impacted by the security vulnerability.
Millions of Spotify hack accounts are available for sale for as little as $1 on the dark web. Hackers collect Spotify accounts and passwords and sell them multiple times.
It’s an issue that Spotify has been slow to combat for years – still lacking two-factor authentication for its services. “Dear Serbian guy who hacked my Spotify account, we could have shared,” one user writes on Twitter.
It’s a bit disingenuous to call these attacks hacks. They’re credential stuffing attacks that check for re-used passwords across a variety of services. For example, if you use the same password for your GAP account and Spotify, you’re at risk if GAP gets hacked. Hackers will quickly plug that password in with your email to see if the combo works. If it does and you subscribe to Spotify Premium, the account goes for sale on the dark web.
Spotify hasn’t told anyone that its users’ information has been exposed. In fact, the general public wouldn’t know if it wasn’t for that data breach notification filed with the state of California. If you recently had to change your password before accessing Spotify, now you know why. You might want to change your passwords elsewhere since personal data was exposed in this software vulnerability.
It’s better to be safe than sorry – and stop re-using the same password on every site.