Spotify bug exposed weak user passwords

Swedish online music startup Spotify last night warned of a security breach that could have exposed user passwords and other sensitive data.

In an email to users Spotify said a bug it had squashed in its protocols in December was more serious than it first suspected. Last week Spotify found out that a group of hackers had compromised these protocols as a result of this vulnerability. The vulnerability meant password hashes of individual users had been exposed, though not in an easy to decrypt form. But the weaker your password then the easier it was to hack. Credit card details were not exposed but a lot of sensitive information was, Spotify added. Such as – potentially – your email address, birth date, gender, postal code and billing receipt. The vulnerability has now been resolved.

The site advises users to change their password across the board, where accounts were registered prior to 19 December and the same password was used on multiple sites.

Here’s their statement in full:

Dear Spotify user,

Last week we were alerted to a group that managed to compromise
our protocols. After investigating we concluded that this group
had gained access to information that could allow testing of a
very large number of passwords, possibly finding the right one.
The information was exposed due to a bug that we discovered and
fixed on December 19th, 2008. Until last week we were unaware
that anyone had had access to our protocols to exploit it.

Along with passwords, registration information such as your email
address,birth date, gender, postal code and billing receipt
details were potentially exposed. Credit card numbers are not
stored by us and were not at risk. All payment data is handled
by a secure 3rd party provider.

If you have an account that was created on or before December 19th 2008,
we strongly suggest that you change your password and strongly
encourage you to change your passwords for any other services
where you use the same password.

When choosing your password we provide you with an indicator of
the password strength to help you choose a good one. To change
your password please visit your profile page on our website.

For the technically minded amongst you, the information that may
have been exposed when our protocols were compromised is the
password hashes. As stated, we never store passwords, and they
have never been sent over the Internet unencrypted, but the
combination of the bug and the group’s reverse-engineering of
our encrypted streaming protocol may have given outsiders access
to individual hashes.

The hashes are salted, making attacks using rainbow tables unfeasible.
Short or otherwise bad passwords could still be vulnerable to
offline targeted brute-force or dictionary attacks on individual
users, but you could not run attacks in parallel. Also, there
has been no known breach of our internal systems. A complete user
database has not been leaked, but until December 19th, 2008 it was
possible to access the password hashes of individual users had
you reverse-engineered the Spotify protocol and knew the

We are really sorry about this and hope you accept our apologies.
We’re doubling our efforts to keep the systems secure in order
to prevent anything like this from happening again.

The Spotify Team