Spotify Resets Passwords After Exposing Customer Information

MakeUseOf

By Joe Keeley

Published Dec 11, 2020

Spotify notified a small number of users who had their data accidentally shared with Spotify's business partners.

Spotify has had to reset the passwords of some users after it accidentally exposed customer information, including name, password, and date of birth, to some of its business partners. The vulnerability existed since April, but was only discovered in November.

Spotify Files a Data Breach Notification

This news comes from a data breach notification (document courtesy of TechCrunch) that Spotify filed with the California attorney general's office.

On November 12, 2020, Spotify discovered a vulnerability in its system that inadvertently exposed some customer information to third-parties.

If you were impacted by this, you should have received an email from Spotify notifying you that it had reset your password.

The information shared may have included your email address, preferred display name, password, gender, and date of birth.

Spotify estimates that this vulnerability has existed since April 9, 2020, but it discovered it only November 12, 2020, when it claims "we took immediate steps to correct it".

Spotify hasn't named the business partners that received the data, but notes that it contacted them to ensure that any customer information was deleted.

Of course, there's no guarantee that unauthorized use of your information won't take place, so if you used your Spotify password elsewhere then you should change it immediately.

How Has Spotify Responded?

In speaking to Engadget, a company spokesperson said:

A very small subset of Spotify users were impacted by a software bug, which has now been fixed and addressed. Protecting our users’ privacy and maintaining their trust are top priorities at Spotify. To address this issue, we issued a password reset to impacted users. We take these obligations extremely seriously.

Spotify has more than 320 million users and it's unclear what percentage of those have been impacted by this.

The streaming company also hasn't detailed how the vulnerability occurred, although this is usual in these situations. Nevertheless, it is concerning that customer information was able to travel so freely in a seemingly unencrypted state.

This isn't the first time in recent months that Spotify has run into trouble with user's passwords. In November 2020, Spotify had to reset 350,000 passwords due to a data breach. However, this was due to a credential stuffing operation, rather than the fault of Spotify itself.

If anything, this story is a lesson to use unique passwords for every service. That way, if someone gets a hold of one password, only one service is compromised. The way to help you achieve that is to use a good, open-source password manager.