Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Music

Spotify Resets Passwords After a Security Bug Exposed Users' Private Account Information (techcrunch.com) 19

Jerry Rivers shares a report from TechCrunch, adding: "...and it took the music service seven months to notice." From the report: In a data breach notification filed with the California attorney general's office, the music streaming giant said the data exposed "may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify." The company did not name the business partners, but added that Spotify "did not make this information publicly accessible." The company says the vulnerability existed as far back as April 9 but wasn't discovered until November 12. It didn't say what the vulnerability was or how user account data became exposed.

"We have conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted," the letter read.
This discussion has been archived. No new comments can be posted.

Spotify Resets Passwords After a Security Bug Exposed Users' Private Account Information

Comments Filter:
  • Sue them under GDPR (Score:5, Interesting)

    by cvanderheyden ( 7417098 ) on Friday December 11, 2020 @05:07AM (#60818748)
    EU courts should sue them for breaching GDPR legislation: Sharing personal information with 3rd parties without user consent! That should set a good example... Liabilities under GDPR are quite impressive, it might instigate other companies to pay more attention to their security infrastructure
    • by teg ( 97890 )

      EU courts should sue them for breaching GDPR legislation: Sharing personal information with 3rd parties without user consent! That should set a good example... Liabilities under GDPR are quite impressive, it might instigate other companies to pay more attention to their security infrastructure

      I don't think they will face GDPR consequences for this. GDPR isn't about punishing good efforts - they need to have routines wrt personal information and security, and if/when these fail, they need to follow some routines wrt. notification.

      • by ytene ( 4376651 ) on Friday December 11, 2020 @06:42AM (#60818850)
        Actually, in this instance I think that cvanderheyden has the right idea. The lead article includes the following statement:-

        "We have conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted," the letter read.

        If Spotify are saying that their business partners "may have had access to personal information" that was "inadvertently disclosed", that, right there, is a potential smoking gun for a GDPR breach. The GDPR includes the concept of a "lawful basis for processing", with six conditions, at least one of which must be met in order to give Spotify legal cover for their actions. Voluntarily sharing personal information with a third party for Spotify's benefit [and not their customer's benefit], if it happens without the knowledge and approval of the customer, would constitute a breach.

        The language of the above statement suggests - hints - that they are aware of their predicament. The GDPR makes a distinction between an accidental breach and a wilful or system breach. If the breach occurred, for example, through a mis-addressed email, that would be an accident. But if the breach occurred because of an established or automated business process, then that constitutes something significantly more material.

        I stress that we don't know the specifics here - and detail is going to be crucial in order to understand any liability Spotify might have. But the language of their statement suggests that they are making a tacit admission that they have been sharing customer data with third parties that should not have been shared.

        If this is a wilful breach, then maximum penalties, no excuses - and a legal requirement for them to put all their EU customers under credit protection cover for a couple of years, too.
  • I'm really annoyed by this. I recently switched from Google Music to Spotify. It was when Google moved to Youtube Music and it was really mostly because my son wanted to use Spotify on his Playstation.

    Now, when I went to their web site to create an account, they would only allow you to use your email or facebook. Installing Spotify on my phone though required no such thing: I was able to sign in with Google!

    I then proceeded to log in online with Google sign-in (!) and use the web player just fine!

    So I thoug

    • Spotify is owned by Alphabet. If they don't offer Google Sign-In now, they will shortly. If I had to bet, it's down temporarily while they integrate the code path more tightly.

      The better to see you with, my dear.

      • by aitikin ( 909209 )

        Spotify is owned by Alphabet.

        Source for that? I remember there being talks of Alphabet/Google buying it, but I don't recall it happening and Spotify is still publicly traded on the NYSE under the ticker SPOT.

  • by jonwil ( 467024 ) on Friday December 11, 2020 @06:11AM (#60818818)

    Its 2020, there is NO reason to store a password anymore. You store a password hash (ideally made with a good quality password hashing algorithm that includes a salt).

  • i dont know about ya'll but Spotify, technically, is a complete shit show. their web player for video is as basic as it comes. any one of us here could improve it ten fold in a week yet they are a massively funded corp. wtf are their devs working on ffs?!?
    • > wtf are their devs working on ffs?!?

      I only know one person working at Spotify, but he's a loud-mouth and kinda retarded (the kind that won't learn because he already knows everything). He got the job because he was willing to work for low wages.

      With the Alphabet cash infusion I would hope they can hire better people now, but the old crew may be in charge.

    • wtf are their devs working on ffs?!?

      Probably having a circle jerk with eBay's devs telling each other how great they are and how their code is the best in the world while it's total shit.

      • JFC ebay is shit. I'm coming up on 10 years working for an ecommerce company that is on multiple platforms. They have multiple ebay accounts.

        ebay just doesn't have "businesses" in mind.
        No multi-user support. Everyone from janitor to CEO shares the same login. ebay has recently come up with their own frankenstein idea of "multi-user" but it involves having your employees make their own personal ebay account, and then you delegate permission to them. That is bogus. Amazon and Walmart get this correct. ebay i
  • WHY are they storing passwords? Why not password salts? The salts would be an added layer of security.

  • Spotify have a policy to compensate for this?

You know you've landed gear-up when it takes full power to taxi.

Working...