Spotify data exposed
Spotify have warned of a security breach that may have exposed sensitive user data, including passwords. The on-line music site posted a notice on its blog about the breach and notified users by email.
According to Spotify, an unspecified "group" had managed to compromise the Spotify protocols and upon investigation, the company had found that this group had gained access to information which could allow for password hash cracking. Passwords, email addresses, date of birth, gender, postal code and billing receipt details were exposed by the problem, though Spotify say that credit card information was not exposed, as this is handled by a third party and not stored on Spotify's servers. The exposed information was made available due to a bug that Spotify discovered and fixed on December 19th, 2008.
Spotify say that the complete user database was not leaked and that the hashed passwords were salted, making attacks by rainbow tables infeasible. Spotify said "We never store passwords, and they have never been sent over the Internet unencrypted, but the combination of the bug and the group’s reverse engineering of our encrypted streaming protocol may have given outsiders access to individual hashes".
Spotify "strongly suggest" that users who have an account created before December 19th, 2008, change their password and "strongly encourage" those users to change their passwords on other systems where they may have used the same password. Spotify later clarified the precise circumstances under which they believe user's data may have been exposed in an updated security notice.