Online music service
has become the latest web firm to suffer a major hack, after revealing yesterday
that criminals may have accessed user registration details.
The company said in a
notice on the site that it had been "alerted to a group that managed to
compromise our protocols", and could have stolen passwords, email addresses,
birth dates, gender details, post codes and billing receipt information.
Credit card details are safe, according to Spotify, as payment is handled by
a third party provider.
"After investigating, we concluded that this group had gained access to
information that could allow rapid testing of password guesses, possibly finding
the right one," read the security notice.
"The information was exposed due to a bug that we discovered and fixed on 19
December 2008. Until last week, we were unaware that anyone had had access to
our protocols to exploit it."
Spotify is urging users who signed up before 19 December to change their
passwords for the site, and for any other services where they have used the same
Graham Cluley, senior technology consultant at
warned in a
post that too many people use the same password on every web site they
"That's the real story here," he said. "If just one web site has a security
blunder, all of your online information may be at risk."
Simon McCready, a partner in the media team at consultancy
argued that date of birth and partial address details could be sufficient
information to commit identity theft and obtain a credit card fraudulently.
"Users who have given their personal information in return for free music may
not see security as a priority," he added. "Users also need to be wary of
'phishing' emails from the hackers seeking additional information after this