RSS Alerts

Share

More services

Related Stories

  • Someone’s got to pay
    Consumers are increasingly trading the high street for the home computer, and in both cases getting more than they bargained for. Rob Stringer investigates the fraud and fuzzy legislation of retail security
  • The art of social engineering
    Social engineering is not new and it’s here to stay. Kevin Townsend looks at how social networking is a social engineer’s best friend and asks what we can do to protect ourselves from this very real – and very personal – threat
  • Search for security
    With more than 30 000 web pages being infected every day, search engine results could increasingly lead to malware infection. Kari Larsen asks what the search engines are doing to mitigate security threats, and how users can protect themselves.
  • Data Breach Spring
    Infosecurity’s Drew Amorosi examines three data breach incidents from the past few months that, by their nature, keep security vendors in business, regulators busy, and CISOs up at night. Find out why industry observers think this rash of massive breaches could lead to a ‘PCI for consumer privacy’
  • Sony reset suffers setback after security flaw discovered
    Sony has been forced to suspend the PlayStation Network (PSN) and Qriocity password reset web pages after discovering a flaw that could be exploited by hackers.

Top 5 Stories

News

Major e-music site hit by hackers

06 March 2009

Spotify, an advertising-driven e-music site launched in 2006 and with more than a million users across Europe, has suffered a data breach involving the personal details of around 10 000 members.

Unconfirmed reports suggest that a group of hackers spent several weeks breaking down the IT security protocols of the website, and succeeded in obtaining the details of a `small' number of users.

 

Fortunately for Spotify and its users, the data breach appears to have only affected the site's free-music users, as the payment card details of premium users - who pay to listen to music without regular adverts - are handled by a third-party company.

 

In a statement sent to Spotify's members this week, the website said: "Last week we were alerted to a group that managed to compromise our protocols.

 

"After investigating, we concluded that this group had gained access to information that could allow rapid testing of password guesses, possibly finding the right one."

 

"The information was exposed due to a bug that we discovered and fixed on December 19 2008. Until last week we were unaware that anyone had had access to our protocols to exploit it."

 

Infosecurity understands that the data extracted by the hackers includes their names, email addresses, birthdays and postal codes.

 

Spotify is advising all of its users - especially those that registered prior to December 19 - to change their passwords on the music service, as well as any other online system where they used the same password.

 

The way that the music website handled news of the data breach has drawn criticism.

 

The BBC's technology editor Rory Cellan Jones in a blog entry, for example, said that he was involved in a BBC radio program on Spotify in which Daniel Ek, the company's founder, was interviewed over the phone from his Stockholm headquarters.

 

"What Mr Ek never breathed a word about was the security breach - but I notice that the blog post about the issue went up on the Spotify site at 16.31 on Wednesday, just half an hour after we came off air. Surely Daniel Ek knew about the issue before he went on 5 Live - and could have taken the opportunity to reassure subscribers," said Cellan Jones.

 

According to the BBC technology editor, "while some subscribers praised the company for its openness, others were not impressed, like this one:`Your server's been overloaded when you could have given that detail and calmed everyone down. Very not clever'."

 

"Despite the reassurance that no credit card details were at risk, this is going to make it all the harder for Spotify to persuade people to upgrade to the premium service - and start making serious money."

 "And that really would be `very not clever'," he added.

This article is featured in:
Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012