Spotify announced that it had reset an undisclosed number of user passwords. The data breach notification to the California Attorney General said that the disclosed information of users, such as email address, preferred display name, password, gender, and date of birth, may only belong to certain business partners of Spotify. The company did not name its business partners, but underlined that it does not make this information public.
Spotify said the vulnerability has existed since April 9, but was not discovered until November 12.
In its data breach notice, Spotify said they were conducting an internal investigation and contacting any business partners that may have access to their account information to ensure that personal information that may have been inadvertently disclosed is deleted.
Spotify spokesperson Adam Grossberg confirmed that quite a few of Spotify users were affected, but did not give a specific number. Because Spotify has more than 320 million users and 144 million premium subscribers;this means that thousands of users are affected by even what can be called a “minimum” amount.
Last month, security researchers found an insecure database operated by hackers allegedly containing about 300,000 stolen user passwords. The database was probably used to initiate credential stuffing attacks where lists of stolen passwords were mapped to different websites using the same password. In this case, even if the data released did not come from Spotify, the company had reset the passwords on the affected user accounts.