Streaming service Spotify has notified an unspecified number of its customers of a data breach, responding by resetting passwords on the accounts that were attacked.
The company filed the breach under California’s new privacy law, the California Consumer Privacy Act, which went into effect on Jan. 1. While the notice did not specify the precise number of people breached, under the CCPA, a sample copy of a breach notice sent to more than 500 California residents must be provided to the California attorney general.
In a breach notification letter dated Dec. 9 to its customers and filed with the California attorney general, Spotify said the company discovered the vulnerability on its system on November 12, but that the issue existed on its systems since April 9 of this year.
According to the letter, the vulnerability may have inadvertently exposed Spotify account registration information, which potentially included email addresses, preferred display names, passwords, genders and dates of birth for Spotify business partners. While it has no reason to believe that any unauthorized use of customer information took place, Spotify advised its customers who received the letter to change the passwords of all other online accounts for which they use the same email address and password.
When asked to comment, a Spotify spokesperson said “only a very small subset of Spotify users were impacted by a software bug, which has now been fixed and addressed.”
Laurence Pitt, technical security lead at Juniper Networks, said many people pay for premium Spotify services and with access to a password, anyone could redirect a subscription for their own use.
“Password re-use is dangerous because if any of the data from this exposure does fall into the wrong hands, then it will end up in brute-force attack databases providing valid username/password combinations for access to other services,” Pitt said. “Our advice is to use unique passwords, change passwords regularly and invest in a good password manager to help.”