Spotify partner companies may have been able to see some user passwords
Certain Spotify partner companies were able to view the data of some Spotify users for more than six months. These companies ‘possibly’ had access to, among other things, the email address, password and date of birth of the users.
Spotify talks about a vulnerability in the system that accidentally showed Spotify account registration information to ‘certain’ partner companies. It is unclear exactly which data was visible, the music streaming service says that it is ‘possible’ to be an e-mail address, account name, password, gender and date of birth. It is unclear whether this information was encrypted. The company says this information has been “exposed” to partner companies. Spotify has notified affected customers and the California prosecutor of the vulnerability. TechCrunch has published the letter addressed to California authorities.
The streaming service found out about the vulnerability on November 12. The company estimates that the vulnerability has been there since April 9. Spotify has reset the password of users affected by the vulnerability. Companies that may have had access to the data have been contacted by Spotify ‘to make sure’ that they have deleted the data. It is not clear how many customers have been affected by the vulnerability. A spokesperson tells TechCrunch that it concerns ‘a small part’ of Spotify users.