Spotify User Passwords Reset After New Security Incident

Spotify seems like it cannot catch a break. After a database was found floating online, containing data that belonged to Spotify users in late November 2020, now the company effected a new password reset wave to a chunk of other users.

The new incident involved Spotify unwittingly exposing chunks of user private information to a certain number of its business partners. According to the official notification that the company filed, the exposed information "may have contained" users' e-mails, display names, passwords as well as gender and date of birth.

The notification mentions that the data exposure took place because of a software vulnerability that seems to have existed for seven months but was spotted only in mid-November 2020. There was no specific information on the vulnerability that led to the incident or any specifics about how it took place.

If that's any consolation, Spotify also contacted the business partners that "may have" been able to access Spotify customer information, to somehow "ensure" that this information has been promptly deleted.

The company also did not release any information concerning the exact scope of the exposed information and the number of users that were affected by it. The only description of the incident's volume was that a "small subset" of users were affected. A small subset of over 320 million users can be any seven-digit figure, or more.

The previous incident involving Spotify user data took place in late November. Security researchers doing their usual sweep for unsecured online databases found one leaky database, very likely operated by hackers, full of passwords and likely used for credential stuffing.

Spotify pushed another mass password reset for any of the users whose credentials were found in the hacker database. The affected users were notified by e-mail.