Yesterday I got an email from Spotify telling me to change my password since their music service had been compromised by the group behind Despotify. This is from the email they sent out:
Last week we were alerted to a group that managed to compromise
our protocols. After investigating we concluded that this group
had gained access to information that could allow testing of a
very large number of passwords, possibly finding the right one.
The information was exposed due to a bug that we discovered and
fixed on December 19th, 2008. Until last week we were unaware
that anyone had had access to our protocols to exploit it.Along with passwords, registration information such as your email
address,birth date, gender, postal code and billing receipt
details were potentially exposed. Credit card numbers are not
stored by us and were not at risk. All payment data is handled
by a secure 3rd party provider.
From IDG.se I found out that they actually only had been able to get passwords and user information for about 40 users.
This was possible since Spotify had a security hole in their protocols so that whenever someone created a shared play list their user information like email, address, birthday and password where sent to the users client software. In the usual Spotify client this was not visible for the users, but when using Despotify’s client the group was able to collect this information.
Spotify is now asking everyone with an account from the time before 19th of December 2008 to change their passwords.
I wanted to thank you for this great read!! I absolutely loved every bit of it. I have you bookmarked to check out new stuff you post…