Major e-music site hit by hackers

Unconfirmed reports suggest that a group of hackers spent several weeks breaking down the IT security protocols of the website, and succeeded in obtaining the details of a `small' number of users.

 

Fortunately for Spotify and its users, the data breach appears to have only affected the site's free-music users, as the payment card details of premium users - who pay to listen to music without regular adverts - are handled by a third-party company.

 

In a statement sent to Spotify's members this week, the website said: "Last week we were alerted to a group that managed to compromise our protocols.

 

"After investigating, we concluded that this group had gained access to information that could allow rapid testing of password guesses, possibly finding the right one."

 

"The information was exposed due to a bug that we discovered and fixed on December 19 2008. Until last week we were unaware that anyone had had access to our protocols to exploit it."

 

Infosecurity understands that the data extracted by the hackers includes their names, email addresses, birthdays and postal codes.

 

Spotify is advising all of its users - especially those that registered prior to December 19 - to change their passwords on the music service, as well as any other online system where they used the same password.

 

The way that the music website handled news of the data breach has drawn criticism.

 

The BBC's technology editor Rory Cellan Jones in a blog entry, for example, said that he was involved in a BBC radio program on Spotify in which Daniel Ek, the company's founder, was interviewed over the phone from his Stockholm headquarters.

 

"What Mr Ek never breathed a word about was the security breach - but I notice that the blog post about the issue went up on the Spotify site at 16.31 on Wednesday, just half an hour after we came off air. Surely Daniel Ek knew about the issue before he went on 5 Live - and could have taken the opportunity to reassure subscribers," said Cellan Jones.

 

According to the BBC technology editor, "while some subscribers praised the company for its openness, others were not impressed, like this one:`Your server's been overloaded when you could have given that detail and calmed everyone down. Very not clever'."

 

"Despite the reassurance that no credit card details were at risk, this is going to make it all the harder for Spotify to persuade people to upgrade to the premium service - and start making serious money."

 "And that really would be `very not clever'," he added.

What’s Hot on Infosecurity Magazine?