Music streaming giant believes flaw was present for about seven months

Spotify security vulnerability exposed personal data to business partners

An unspecified number of Spotify users have had their passwords reset after their personal data was inadvertently exposed to business partners of the music streaming service.

Spotify said it had “contained and remediated” the data breach after discovering a security vulnerability in its system that revealed users’ account registration information to the third parties.

Exposed data may have included email addresses, display names, passwords, gender, and date of birth, said the music streaming giant.

In a breach notification (PDF) filed with California’s Attorney General on December 9, Spotify said it found the flaw on November 12, but “estimate[s] that this vulnerability existed as of April 9, 2020”.

Limited impact

The digital media service said this data was visible to “certain business partners of Spotify”, but insisted that the incident “did not make this information publicly accessible”.

“We have conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted,” continued the breach alert sent to affected individuals.

Read more of the latest security vulnerability news

“We have no reason to believe that any unauthorized use of your information has or will occur,” Spotify added.

However, the platform urged users “to change the passwords of all other online accounts for which you use the same email address and password,” and alert them to any suspicious activity on their Spotify account.

Face the music

The disclosure comes less than a month after Spotify executed another password reset, on that occasion following credential stuffing attacks that probably leveraged the spoils of data breaches at other organizations.

The Swedish company acted after attackers apparently tried to brute-force their way into Spotify accounts with username-password pairs discovered by security researchers in an unsecured cloud database containing around 300,000 stolen passwords.

Spotify, which has more than 320 million users and 144 million subscribers – far more than its closest rival, Apple – did not indicate how many users were affected.

The Daily Swig has asked Spotify to provide further details about the breach and will update the article if and when we receive a response.

RELATED Data breach at US legal aid firm Brooklyn Defender Services exposed clients’ personal data