Spotify users could see a rise in phishing emails if stolen personal details are used

News by Dan Raywood

More than 10,000 Spotify users could be hit by phishing attacks after the site was hit last week.

More than 10,000 Spotify users could be hit by phishing attacks after the site was hit last week.


A loophole in the security software caused the incident; where encrypted passwords were taken along with registration information, email addresses, birth date, gender, postal code and billing receipt details.


Spotify said in a statement: “Last week we were alerted to a group that managed to compromise our protocols. After investigating, we concluded that this group had gained access to information that could allow rapid testing of password guesses, possibly finding the right one.


“The information was exposed due to a bug that we discovered and fixed on December 19 2008. Until last week we were unaware that anyone had had access to our protocols to exploit it.”


Simon McCready, a partner in Deloitte's media team said: “Users who have given their personal information in return for free music may not see security as a priority.


“Although credit card information was not compromised in this incident, a date of birth and partial address details could be sufficient information to commit identity theft and obtain a credit card fraudulently. Users also need to be wary of phishing emails from the hackers seeking additional information after this initial loss.”


With references made by Spotify to a bug, McCready claimed that this suggests that there was a flaw in the web application design.


He said: “They may be too quick to jump to the conclusion that credit card data is secure as often there is a degree of trust between the merchant site and the agent taking payment, it would suggest they need to do a more comprehensive review of their application. Whilst Spotify should mandate users to change their passwords to the new format on their next login, this needs to be done in a way to minimise the phishing risk.”

However Mark Fulbrook, UK and Ireland director of Cyber-Ark, was more critical of Spotify's actions. He said: “Had the company protected the personal data of its customers, perhaps using a data vaulting technology, then this public relations fiasco would not have happened. All that Spotify has done is to make a series of postings advising customers to change their passwords. Sure, the company claims it is reinforcing its security, but this is like locking the door after the horse has bolted.”



Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews