TECH.BLORGE.com
VISTA.BLORGE.com
MAC.BLORGE.com
GAMER.BLORGE.com

March 5, 2009 |

Spotify playing the blues after major hacking attack

By John Lister





Spotify playing the blues after major hacking attackStreaming music site Spotify has been hit by hackers who’ve gained access to user account details. Fortunately credit card details of paid subscribers are not at risk.

The attack affects the estimated 10,000 accounts, which were created on or before December 19 last year. Spotify found and fixed a security bug on that date, but has only just discovered people were able to exploit it.

The data which is potentially at risk includes e-mail addresses, dates of birth and postal (zip) codes. Credit card details used for the ad-free subscription service are not at risk as they are processed by a third party organization.

The hackers have also gained access to user names, but it appears they will only have discovered the length of the accompanying passwords. In theory they could attempt to use brute force to figure out the passwords (by trying every possible combination of letters and numbers), but as they should only be able to do this on one account at a time, it would likely be the account with the shortest passwords at risk.

There’s not a great deal the hackers could do on Spotify with any uncovered passwords (besides introducing you to some new artists), but the fear is that they’d take advantage of users who have the same log-in details for other, more sensitive, Web sites.

The incident is a good reminder of the importance of having lengthy passwords, mixing letters and numbers (to avoid hackers saving time by simply trying words from a dictionary list rather than the much larger number of random combinations), and to use different passwords for different sites, particularly those where you consider security most important.

Users should also watch out for phishing attempts through e-mails claiming to come from Spotify and asking for confirmation of log-in details. As always, you should always visit password-protected sites and services by typing the Web site address directly rather than following links in e-mails, no matter how legitimate they seem.

Related:

  • Record labels delay U.S. launch of Spotify
  • Hackers attack epilepsy victims on support forum
  • Spotify worth more to record companies than iTunes
  • Spotify looks to U.S. launch – after conquering Europe
  • Spotify goes mobile – and offline




    • Sign up for the BLORGE daily email newsletter

    Entry was posted on Thursday, March 5th, 2009 at 3:37 pm under Internet, Music, Scams, Security.

    Read more entries by John Lister.
    StumbleUpon Toolbar Stumble It!

    One Response to “Spotify playing the blues after major hacking attack”

    1. Priestley119:
      March 5th, 2009

      You’ve mentioned that the users of the site need to be cautious in their choice of passwords. I would argue that it also highlights potential deficiencies in the company’s information security arrangements.

      According to the latest UK Government Security Breaches Survey (2008) (http://www.pwc.co.uk/eng/publications/berr_information_security_breaches_survey_2008.html), companies still have a way to go in taking information security seriously. For instance, 52% do not undertake formal security risk assessments; 48% of disaster recovery plans are not regularly tested and 21% of companies spend less that 1% of their IT budget on information security.

      I agree that the users should be careful in their selection of usernames and passwords, but we should be able to expect better than this from digital media company.

    Leave a Reply:

    Copyright © 2008 Engaging and compelling blogs that entertain and inform