Spotify has reset the passwords for a number of its users after it identified a security flaw that could have exposed account data. The music streaming platform submitted a data breach notification to the Office of the Attorney General in California that outlined what happened, what information was involved, and what action Spotify has taken to address the matter. It follows the recent news that at least 300,000 Spotify accounts are thought to have been hacked earlier this year, with email addresses, login credentials, and other user data exposed.
California law requires organizations to notify residents whose unencrypted personal information may reasonably have been accessed by unauthorized parties. If it has been necessary to send a notification to more than 500 residents of California, a sample of the notification must be electronically submitted to the state's attorney general. This was the case for Spotify in this instance, with the notification appearing to take the form of a letter sent subsequent to a password reset email notification for each affected user.
The sample notification is dated December 9, 2020, but, in it, Spotify estimates that the security vulnerability dates back to April 9, 2020, and says that it was discovered on November 12, 2020. It states that registration information of users affected — including their email address, preferred display name, password, gender, and date of birth — may have been exposed to certain business partners. In addition to resetting the passwords of users affected and sending notification emails to them, Spotify says an internal investigation has been conducted and that any business partners that may have had access to the data have been contacted and asked to delete it should that still be the case.
Should Spotify Users Reset Their Passwords?
As noted, Spotify has contacted the users affected by the breach and had them reset their passwords. Users who have not received a password reset email and who have been able to continue using Spotify without needing to reset their password should not have been affected by the breach. Spotify also notes that it has "no reason to believe that any unauthorized use of the information has or will occur."
However, the data breach notification coupled with the recent apparent hack should give users pause for thought. While there is no reason to believe Spotify has been the victim of any other breaches or hacks that it is unaware of, there is always the chance and the older a password is the more likely it is to have been exposed. Security experts often say that passwords for any account should be changed every one to three months. While that may seem like overkill, users of Spotify and other online services should ask themselves when they last changed their passwords. If it was a long time ago, password changes may well be due.