Updated security notice

It seems that there is some confusion about who may be at risk due to the recently communicated leak of information that could be used to guess some user’s password. To clarify, your password is at risk only if all of the following apply:

  • You had a Spotify account before December 19th, 2008
  • You have not changed your password since December 19th, 2008
  • You have a weak password
  • Someone from a small group of people asked our servers specifically to see your account details before that date
  • Someone from the same small group decided to put computation time towards guessing your password

If your Spotify account was created before December 19th, 2008 you should have received an email about the issue by now, assuming that the email address you stated when registering the account was correct.


  1. Appreciate your candid and open attitude to such an important issue. I’m sure everyone else will understand it too. Keep well and rock on!

  2. If it’s true that you’re not affected unless a group has contacted you for account details, then I’m really disappointed you were not more clear about it in the last post. Most people would instantly know if they’ve allowed someone on the net to look at specific details.

    Your server’s been overloaded when you could have given that detail and calmed everyone down. Very not clever.

  3. Good to see that you are active on Twitter and how that channel was active when your website was down. As for this issue I recommend everyone to change password, no matter how safe you think it is.

  4. Hmm.. As far as i know, it is NOT possible to change your password if you have a Premium acoount through Telenor in Sweden ? What to do then ?

  5. @greenbayd: This is not about phishing. What is meant is that someone who had reverse-engineered the Spotify protocol could ask our servers for the details.

  6. First the removal of many songs and now this. You guys is over and out… sorry but this is just so crazy. I will ensure a refund for my annual payment.

  7. @ehn: Sorry, I got it all wrong, which means someone potentially still could have my pw.

    I assume it’s a more than slim risk anything will happen, but someone potentially being aware of my pw is disturbing nonetheless.

    If someone had already hacked any other account with the same pw, who would be held accounted for it apart from the hackers? Not you, I guess, even if it was your security that failed.

  8. @nicon: Stop being such a cry baby. Spotify is great and will survive this little issue as well.

  9. Yeah maybe they will, but I agree, its still quite annoying that they have a lack in security. Luckily for me I didnt use my original pw just because I had this small feeling just this would happen.
    Not good news!

  10. @greenbayd: if you use the same password on lots of sites, that’s your problem/fault/liability. No site is immune from security breaches. You can mitigate this risk, or you can make your life simpler. Your choice.

  11. Hmm..this isnt important news? Like that time with the restriction issue? It’s kinda bad you posted the yellow bar with “some important news” that time, but this is kept on your blog.. (just saying) sorry my english

  12. djck – All affected users were personally emailed so that they are aware, we thought this to be the most effective way to communicate to them.

  13. Thank you for handling this so well, Spotify. You gave a clear account on excatly what has happened and what the users who could be affected needed to do. Computer security is hard, and there are bound to be mistakes. This was corrected months back! Stop whining people, this kind of stuff is probably more common than you think, but every company is probably not reporting on it.

  14. The way Spotify have handled this situation is really good, – open and honest, and the email I received gave clear instructions on how to deal with the problem. You have still my full trust and support! Thanks!

  15. I have a unique password for Spotify which BruteForce Attack Time Estimator says it will take 700 years to guess. I won’t change my password!

    If you have one simple short or word based password that you use on every site/app, including ones that are in BETA, you obviously don’t care enough about privacy anyways.

    Do yourselves a favor, get a good personal system for making up passwords that are easy to remember. Think for yourself and then try it in this excel sheet.


  16. I was registered before the 19th of December and to my knowledge have received no email from Spotify about any of this. I had to read about it in the paper.

    I am frankly not that concerned about my password which can be changed. I am however very concerned about my personal details – “The data at risk included our passwords, plus your email address, birth date, gender, postal code and billing receipt details.” – which cannot be changed and I would imagine this what they where after in the first place.

  17. @hatbabe:

    I don’t agree. It’s ONLY my fault if I have a bad password and/or I haven’t dealt with it carefully. I have dealt with it very carefully, and there’s no way to figure it out. Brute forcing would take forever. One should preferably not use the same pw on several sites, but it’s pretty hard to remember every pw for every site you’re registered on. In this case it’s by no means my mistake that a company cannot provide secure hardware/software. Should one really have to assume companies cannot deal properly with confidential private details?

  18. This is rather misleading. Sure you fixed the password bug on the 19th, but isnt it true all the other personal details like email, date of birth and postal addresses were still accessable until a few days ago? I think it’s important that you tell people if it was, this information may easily be enough for many “forgotten password” checks and such.

    Password hashes are not the only security and privacy problem here, but seem to be the only one you care about.

  19. The important question here is why this call where anyone can ask your servers for user details ever was written in the first place. There is no good reason for such a call to exist in an externally accessible API. Just because the protocol is obfuscated does not make it less of a externally accessible API.

    Never trust obfuscation.

  20. En helt annan sak. Kan ni inte försöka fixa tillbaka den svenska punken så lovar jag att skaffa spotify premium när så skett :)

  21. I think Spotify handled this very well and am rather impressed at their openness.

    I’m equally impressed by the despotify team, with the speed they reversed the almost the entire protocol in such a very short time!

    It took me about a week (a few hours a day of analysis) just to find the proper join points for point cutting features I missed in the client, something which is magnitude less of an effort than reversing the protocol.

    Hats off to both teams!
    To the Despotify team for finding the security issue and the prompt, open and frank way the Spotify team managed the incident.

    PS. for those that want an explanation of the issue at hand, the following explanation was given by the Desplotify team in their initial checkin of their open source spotify client.

    Prior to the 19th of December 2008 Spotify happily told clients
    (including ours!) almost everything it knew about a particular
    user, if they asked for it.

    Legitimate requests for this is for example when you add
    someone else’s shared playlist.

    This allowed clients to see not only the last four digits of the
    credit card used to subscribe to the premium service, whether
    the user was a paying customer or preferred commercials, but
    also very interesting stuff such as the hash computed from
    SHA(salt || ” ” || password).

    In theory (HE HE!) this allowed any registered user to request
    somebody else’s user data, get ahold of the hash, and then use
    it to authenticate as that user.

    Fortunately, at lest for Spotify and it’s users, this is not
    the case anymore. (R.I.P poor misfeature)

    However, we urge people to change their passwords for reasons
    left as an exercise for the reader to figure out.

    And do note, this weakness is >> no longer present << so posting this should not risk revealing anything new that would risk compromising your account information nor the spotify service (view it as historical background info to the topic discussed).

  22. It’s also interesting to note that the Despotify team made another statement in the Swedish computer industry newspaper Computer Sweden yesterday (which you can read here if you understand Swedish <a href=”http://computersweden.idg.se/2.2683/1.216161/despotify-vi-vill-inte-skada-spotify”>Despotify: “Vi vill inte skada Spotify”</a>)

    In the article they basically say that they have no intention of harming Spotify and want to work with them. They are only doing what they are doing since Spotify has not released any official API yet. They also said that they had only compromised the accounts of friends and people that they know and in some cases Spotify employees but not anyone else.

    OK. You can choose to believe what they say or not but it does not look like they had any malicious intent in mind when they did this. That doesn’t relly excuse what they did, they should have contacted Spotify when they found this security hole and helped them fix it. Hats off to Spotify also for being so candid. I think that they also know that only a handful of accounts have been compromised and none with any malicious intent but they have been up front and honest and not hidden anything. In fact I think they have been too up front and technical in their description of what happened which is the reason why it is backfiring in the popular press who are technically incompetent and don’t understand the issues.

  23. @digithed

    “That doesn’t relly excuse what they did, they should have contacted Spotify when they found this security hole and helped them fix it.”

    Maybe that is what despotify did? I believe I saw somewhere that Spotify was informed by this bug by an anonymous party. This anonymous person could very well have been someone from despotify. One need to test it with a few accounts first to be sure it really is a security hole.

    I am more afraid of the possibility of other reverse engineers who may not be a ethical.

  24. Yes this was really cool. We saw the BBC piece yesterday and frankly the BBC are starting to lame out on technical matters. Really cool you get down to the details – that’s what people need. All the best.