Spotify Resets User Passwords Following Account Data Exposure Incident

• Spotify discovered a vulnerability in its systems, which exposed user data to some of its business partners.
• This may or may not be related to last month’s massive account takeover wave and data leak.
• The music streaming platform continues to ignore the need to implement a 2FA step.

Spotify is sending notices of a data breach to its users, explaining why they had to reset the passwords of affected accounts and finally being transparent about the mystery that engulfed the situation since last month. A series of events that unfolded previously have made it clear that something had happened on Spotify, but the specifics have remained elusive thus far.

A large number of Spotify users lost access to their accounts after a successful wave of credentials stuffing, and at the same time, a database containing account details appeared online. At first, the Swedish music streaming platform failed to disclose anything specific, dismissing the possibility of having anything to do with the data leak. Naturally, people assumed that the leak came from a connected service.

However, and as Spotify explains in the notice now, there was a vulnerability on their system that existed between April 9, 2020, and November 12, 2020. This flaw exposed user account details such as registration information, email address, display name, password, gender, and birth date.

The platform clarifies that this information was not made public but may have been accessed by certain business partners. That said, last month’s credential stuffing attacks and the database that appeared online may or may not have been the result of this vulnerability. Spotify is neither admitting nor denying it.

Whatever assurances are given about the small chances of facing trouble from unauthorized use of this information doesn’t have much value at the end of the day. The resetting of the user passwords is the main protective step taken here. Spotify should have already added MFA options for protecting user accounts, but they still opt to ignore this essential security feature and postpone its implementation indefinitely.

Users who experience problems accessing their accounts or those who see signs of takeover/abuse should promptly inform the platform. For more information or assistance on what to do in the case of a takeover, send an email to “privacy@spotify.com.” In the meantime, Spotify is carrying out an internal investigation and reaching out to its partners to ensure that the account data they could be holding is irreversibly deleted.