Popular online music site Spotify have announced that a security breach has potentially exposed thousands of customer details. Various pieces of personal information may have been compromised including usernames, genders and postcodes. The security breach is thought to affect accounts registered before 19th December 2008 - a time when the service was open by only by invitation, but even this small subset of users could mean thousands of people are affected.
Spotify's full statement on the issue is below, but their current advice is to update your account and password details on the Spotify site and also change your password on any other sites and services if it matches that used to access your Spotify account.
At the time of writing, access to the Spotify site is sporadic due to high traffic levels following this announcement.
Last week we were alerted to a group that managed to compromise our protocols. After investigating we concluded that this group had gained access to information that could allow testing of a very large number of passwords, possibly finding the right one. The information was exposed due to a bug that we discovered and fixed on December 19th, 2008. Until last week we were unaware that anyone had had access to our protocols to exploit it.
Along with passwords, registration information such as your email address,birth date, gender, postal code and billing receipt details were potentially exposed. Credit card numbers are not stored by us and were not at risk. All payment data is handled by a secure 3rd party provider.
If you have an account that was created on or before December 19th 2008, we strongly suggest that you change your password and strongly encourage you to change your passwords for any other services where you use the same password.
When choosing your password we provide you with an indicator of the password strength to help you choose a good one. To change your password please visit your profile page on our website.
For the technically minded amongst you, the information that may have been exposed when our protocols were compromised is the password hashes. As stated, we never store passwords, and they have never been sent over the Internet unencrypted, but the combination of the bug and the group's reverse-engineering of our encrypted streaming protocol may have given outsiders access to individual hashes.
The hashes are salted, making attacks using rainbow tables unfeasible. Short or otherwise bad passwords could still be vulnerable to offline targeted brute-force or dictionary attacks on individual users, but you could not run attacks in parallel. Also, there has been no known breach of our internal systems. A complete user database has not been leaked, but until December 19th, 2008 it was possible to access the password hashes of individual users had you reverse-engineered the Spotify protocol and knew the username.
We are really sorry about this and hope you accept our apologies. We're doubling our efforts to keep the systems secure in order to prevent anything like this from happening again.