Spotify user details compromised in major hack

Hackers may have compromised Spotify user account details

Online music service Spotify has become the latest web firm to suffer a major hack, after revealing yesterday that criminals may have accessed user registration details.

The company said in a security notice on the site that it had been "alerted to a group that managed to compromise our protocols", and could have stolen passwords, email addresses, birth dates, gender details, post codes and billing receipt information.

Credit card details are safe, according to Spotify, as payment is handled by a third party provider.

"After investigating, we concluded that this group had gained access to information that could allow rapid testing of password guesses, possibly finding the right one," read the security notice.

"The information was exposed due to a bug that we discovered and fixed on 19 December 2008. Until last week, we were unaware that anyone had had access to our protocols to exploit it."

Spotify is urging users who signed up before 19 December to change their passwords for the site, and for any other services where they have used the same passwords.

Graham Cluley, senior technology consultant at Sophos, warned in a blog post that too many people use the same password on every web site they access.

"That's the real story here," he said. "If just one web site has a security blunder, all of your online information may be at risk."

Simon McCready, a partner in the media team at consultancy Deloitte, argued that date of birth and partial address details could be sufficient information to commit identity theft and obtain a credit card fraudulently.

"Users who have given their personal information in return for free music may not see security as a priority," he added. "Users also need to be wary of 'phishing' emails from the hackers seeking additional information after this initial loss."