Spotify breach opens passwords to hackers

 

Gallery

By Stuart Turton

Posted on 5 Mar 2009 at 10:32

Spotify has admitted a security breach may have left thousands of people's personal details exposed.

The music streaming site says a bug in its protocols which was spotted and dealt with back in December, turned out to have been more serious than it first thought.

Hackers used the vulnerability to gain access to password hashes. Though Spotify claims these hashes are encrypted, it is warning those with weak passwords, such as names, may be vulnerable to brute force attacks allowing them to be guessed.

"The hashes are salted, making attacks using rainbow tables unfeasible," the company says on its blog. "Short or otherwise bad passwords could still be vulnerable to offline targeted brute-force or dictionary attacks on individual users, but you could not run attacks in parallel.

"Also, there has been no known breach of our internal systems. A complete user database has not been leaked, but until 19 December, 2008 it was possible to access the password hashes of individual users had you reverse-engineered the Spotify protocol and knew the username."

Spotify says no credit card of payment information was accessed during the attack, but has admitted that "passwords, registration information such as your email address, birth date, gender, postal code and billing receipt details were potentially exposed."

The attack only effects those users who registered accounts before 19 December. The music site is advising customers to change passwords immediately.