Streaming music site Spotify has been hit by hackers who’ve gained access to user account details. Fortunately credit card details of paid subscribers are not at risk.
The attack affects the estimated 10,000 accounts, which were created on or before December 19 last year. Spotify found and fixed a security bug on that date, but has only just discovered people were able to exploit it.
The data which is potentially at risk includes e-mail addresses, dates of birth and postal (zip) codes. Credit card details used for the ad-free subscription service are not at risk as they are processed by a third party organization.
The hackers have also gained access to user names, but it appears they will only have discovered the length of the accompanying passwords. In theory they could attempt to use brute force to figure out the passwords (by trying every possible combination of letters and numbers), but as they should only be able to do this on one account at a time, it would likely be the account with the shortest passwords at risk.
There’s not a great deal the hackers could do on Spotify with any uncovered passwords (besides introducing you to some new artists), but the fear is that they’d take advantage of users who have the same log-in details for other, more sensitive, Web sites.
The incident is a good reminder of the importance of having lengthy passwords, mixing letters and numbers (to avoid hackers saving time by simply trying words from a dictionary list rather than the much larger number of random combinations), and to use different passwords for different sites, particularly those where you consider security most important.
Users should also watch out for phishing attempts through e-mails claiming to come from Spotify and asking for confirmation of log-in details. As always, you should always visit password-protected sites and services by typing the Web site address directly rather than following links in e-mails, no matter how legitimate they seem.