Spotify has alerted an unspecified number of users regarding a data breach, its third for the year 2020, states Threat Post. Following this, the music streaming giant has taken to resetting the passwords of users. The streaming services states that a software bug is to blame for the breach.
The data breach disclosure comes in the wake of similar attacks to the company. According to Threat Post, just late in November, Spotify also encountered credential-stuffing operations.
Apart from this, various artist pages were also hijacked by a malicious actor who goes by the name of “Daniel.” The threat actor reportedly used these artist pages to make his love for Taylor Swift and President Donald Trump is known to the public.
The company disclosed the incident in a letter to the California attorney general’s office dated Wednesday, December 9, 2020, in accordance with the new data privacy law called the California Consumer Privacy Act.
In its statement, Spotify said that the software vulnerability was only discovered on November 12 this year. However, the flaw has already been in existence since April 9, 2020.
Among the information most likely compromised by the incident include users’ email addresses, their display name, password, gender, and date of birth to certain business partners, said the company in its statement.
The streaming service failed to mention the business partners in question. However, Tech Crunch states that Spotify “did not make this information publicly available.”
Following the discovery of the vulnerability in its system, the music streaming giant said that it has “conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted.”
Besides conducting an investigation surrounding the incident, the company said that it had already reset the passwords of users to “help keep your account secure.”
Despite this, Spotify still urges users to be more vigilant and to change the passwords of all other accounts in which the same email address and password are used.
When asked by Tech Crunch how many users were affected by the breach, the company failed to give a specific number. Instead, the spokesperson said that “only a very small subset of Spotify users were impacted by a software bug, which has now been fixed and addressed.”
The company also maintains that they remain unaware of personal information being misused.
