A blog by Sheetal Patnaik
Spotify — the popular music and podcast streaming service. For the third time in just a short period during 2020, Spotify has experienced a data breach again. Here below is the quoted statement of which this service had to compromise its network.
On Thursday November 12th, Spotify discovered a vulnerability in our system that inadvertently exposed your Spotify account registration information, which may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify. Spotify did not make this information publicly accessible. We estimate that this vulnerability existed as of April 9, 2020, until we discovered it on November 12, 2020, when we took immediate steps to correct it.
Spotify said it has reset an sealed number of user passwords after blaming a software vulnerability in its systems for exposing private account information to its business partners. But again, Spotify ensures readers of the notice that they are conducting an investigation on how the data breach occurred. At the moment, there have been no suspicious incidents reported, but this can always be subject to change. Also, they are also making sure that any third-party partners in possession of this data delete it immediately.
Many ill-natured actors gain access to data they use in phishing, credential stuffing, and other common attacks via accidental leaking of personal data. This is why Spotify is requesting its users to change their passwords out of an abundance of caution. When changing passwords, try not to recycle the same passwords you use on other accounts. As mentioned earlier, credential stuffing is an incredibly popular form of brute-forcing for cybercriminals.
Spotify said the vulnerability existed as far back as April 9 but wasn’t discovered until November 12. But like most data breach notices, Spotify did not say what the vulnerability was or how user account data became exposed.
It’s the second time in as many months that the company has reset user passwords.
Last month security researchers found an unsecured database, likely operated by hackers, allegedly containing around 300,000 stolen user passwords. The database was probably used to launch credential stuffing attacks, in which lists of stolen passwords are matched against different websites that use the same password.
Although in that case the exposed data did not come from Spotify, the company reset the passwords on affected user accounts.
This is something which is assured by Spotify right now! We hope our data doesn't get misused. 🤞 for all the Spotify users including myself😇