News

Spotify admits some passwords may be hackable

Warwick Ashford

Apple iTunes online music rival Spotify has been hacked, potentially exposing the personal details of thousands of users.

This is the latest online service to be attacked by hackers. Online recruitment site Monster.com revealed in January that hackers had stolen the details of 4.5million UK job seekers.

Spotify has notified users that hackers had accessed information that would enable them to crack passwords.

Although the passwords are encrypted, Spotify said they were potentially vulnerable to a "brute force" attack to guess them.

The security vulnerability was caused by a bug that was discovered and fixed on 19 December 2008, and all users who created an account on or before that date should change their password, Spotify said.

Registration information such as e-mail address, date of birth, gender, postal code and billing receipt details were potentially exposed.

Spotify said all payment information such as credit card numbers was secure as this information is handled by a third party.

The online music provider emphasised that there has been no known breach of its internal systems and that its user database has not been leaked.

"Until 19 December, 2008 it was possible to access the password hashes of individual users had you reverse-engineered the Spotify protocol and knew the username," Spotify said in a blog.

"We are doubling our efforts to keep the systems secure in order to prevent anything like this from happening again," the posting said.

Spotify is said to have more than one million users across Europe, including 250,000 in the UK.

The service allows users access to a list of tracks they can choose to stream over the internet to a computer.

An advertising-sponsored service is available for free, but users can sign up for an ad-free service for £10 a month.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy