14 DAY TRIAL // The online music streaming service Spotify has made the subject of a recent data breach incident. The website administration has announced that the privacy of its users might have been compromised due to a vulnerability in the communication protocols.
Spotify allows users to listen and browse for audio tracks through a desktop client/player, which connects to its online hub. In order to use the service, interested individuals have to register an account, even if they employ the freeware ad-serving version of the program. There are currently over one million registered Spotify users worldwide.
In a notification posted on its blog, the website administration reveals that last week it became aware that a group of hackers had been exploiting a flaw, before it was patched back in December 2008, in order to access confidential information about the users.
The authentication credentials that were leaked consisted of hashes and not the passwords themselves, but these are still susceptible to brute-force attacks. "The hashes are salted, making attacks using rainbow tables unfeasible. Short or otherwise bad passwords could still be vulnerable to offline targeted brute-force or dictionary attacks on individual users," is explained in the announcement.
Even though such brute-force attacks are somewhat unlikely, users that had an account registered before December 19th are urged to change their passwords. What's most disturbing, though, is that personal information was also compromised as a result of this incident and, unfortunately, that can't be changed just as easily.
"Along with passwords, registration information such as your email address, birth date, gender, postal code and billing receipt details were potentially exposed," the company informs. However, credit card data was not at risk, because it was not stored on its servers. "All payment data is handled by a secure 3rd party provider," is noted in the message.
Graham Cluley, senior technology consultant at Sophos, outlines the other risks implied by such security breaches. "Too many people use the same password on every website they access. If just one website has a security blunder, all of your online information may be at risk," he warns. "We […] strongly encourage you to change your passwords for any other services where you use the same password," the Spotify management also mentions.