Spotify Password Reset: Security Bug Exposes User Data

Spotify has taken action to secure user accounts by resetting the passwords of an unspecified number of individuals. This measure follows the identification of a security flaw within its systems that potentially revealed private account details to its commercial collaborators.

According to a notification submitted to the California attorney general, the compromised data “could have encompassed email addresses, chosen usernames, passwords, gender, and birthdates, but only with select Spotify business partners.” The company refrained from identifying these partners, while clarifying that the information “was not made available to the general public.”

Spotify indicated that this vulnerability was present since April 9th, though it remained undetected until November 12th. Consistent with typical data breach disclosures, Spotify did not detail the nature of the vulnerability or the precise method by which user account data was exposed.

“A thorough internal review has been completed, and we’ve communicated with all business partners who might have accessed your account information, confirming the deletion of any personal data that may have been unintentionally shared with them,” the notification stated.

Adam Grossberg, a representative for Spotify, verified that a “limited number” of Spotify users were impacted, but declined to provide exact numbers. Spotify currently serves over 320 million users, including 144 million paying subscribers.

This incident marks the second occasion in recent months that Spotify has initiated a password reset for its users.

Previously, security analysts discovered an exposed database, believed to be controlled by malicious actors, which reportedly held approximately 300,000 compromised user passwords. This database was likely intended for use in credential stuffing schemes, where stolen password lists are tested against various websites utilizing the same credentials.

While the data in that earlier instance did not originate from Spotify itself, the company proactively reset passwords for potentially affected user accounts.