Spotify security notice

Last week we were alerted to a group that managed to compromise our protocols. After investigating we concluded that this group had gained access to information that could allow rapid testing of password guesses, possibly finding the right one. The information was exposed due to a bug that we discovered and fixed on December 19th, 2008. Until last week we were unaware that anyone had had access to our protocols to exploit it.

Please see the updated security notice for clarifications!

Along with passwords, registration information such as your email address, birth date, gender, postal code and billing receipt details were potentially exposed. Credit card numbers are not stored by us and were not at risk. All payment data is handled by a secure 3rd party provider.

If you have an account that was created on or before December 19th, 2008, we strongly suggest that you change your password and strongly encourage you to change your passwords for any other services where you use the same password.

When choosing your password we provide you with an indicator of the password strength to help you choose a good one. To change your password please visit your profile page on our website.

For the technically minded amongst you, the information that may have been exposed when our protocols were compromised is the password hashes. As stated, we never store passwords, and they have never been sent over the Internet unencrypted, but the combination of the bug and the group’s reverse-engineering of our encrypted streaming protocol may have given outsiders access to individual hashes.

The hashes are salted, making attacks using rainbow tables unfeasible. Short or otherwise bad passwords could still be vulnerable to offline targeted brute-force or dictionary attacks on individual users, but you could not run attacks in parallel. Also, there has been no known breach of our internal systems. A complete user database has not been leaked, but until December 19th, 2008 it was possible to access the password hashes of individual users had you reverse-engineered the Spotify protocol and knew the username.

We are really sorry about this and hope you accept our apologies. We’re doubling our efforts to keep the systems secure in order to prevent anything like this from happening again.


  1. I’m guessing you’re talking about despotify.
    I sincerely hope you won’t go after ’em or trying to shut the project down.

    For now, you’ve limited it so despotify only works with premium accounts, and the despotify team have said they’re not going to try to work around that.
    In other words, right now they’re providing a service that can more or less only be used by premium members.

    Since there’s been no update on when there’s a official Spotify API coming out, despotify is currently the best option of integrating with a HTPC.

    Let there be a truce :o

  2. jordan.stone – That is correct, only account registered on or before Dec 19th are affected.

  3. I’m more interested in why I find out about this by clicking a random link on IRC instead of Spotify mailing all its users to warn them about the security breach.

  4. So, how do I know the date I was registered? Does this mean that all accounts after 18th are fully secured?

  5. So you’re storing our passwords in plain text? What on earth for? Welcome to 2009, you can use wonderful things like hashing, salts and all that wonderfulness.

  6. This is totally unacceptable.

    “We are really sorry about this and hope you accept our apologies. We’re doubling our efforts to keep the systems secure in order to prevent anything like this from happening again”

    I would be ashamed as responsible at Spotify right now.

  7. @raybooysen: Read the text before you ask.

    “As stated, we never store passwords, and they have never been sent over the Internet unencrypted, but the combination of the bug and the group’s reverse-engineering of our encrypted streaming protocol may have given outsiders access to individual hashes.”

  8. This most likely is about despotify, it has comments describing this problem. I wonder if spotify knew about this before the source was released though, afaik it has not been out very long.

  9. bit pathetic given that my pass is the same for a number of other accounts. if you could tell us who might be affected then that would help

  10. adam2484 – Users who created an account before Dec 20th are affected. If you are we’re sending an email to you as well right now.

  11. Thanks for the email notification. Much appreciated as I don’t check the blog all that regularly.

  12. Wow, pretty big breach of security there, guys. Why weren’t you aware of this sooner? I’m sure you must have realised – being the buzz-word on the web at the moment – that some users were going to go looking for flaws. You should have been rigorously checking for such things yourselves on a regular basis. Colour me disappointed.

    > We’re doubling our efforts to keep the systems secure in order
    > to prevent anything like this from happening again.

    Care to elaborate on this? I’d like to know exactly what measures you’re taking.


  13. I think some people are being ridiculously rude here, Andres has already stated that emails have been sent out to those affected, and @nacho I’m completely sure actions were taken as and when alarm bells sounded over the breach.

    Millions of companies have to deal with problems like this, and therefore so does every user. This is not the fault of Spotify, but the fault of whoever decided to compromise their security. If you want someone to blame, then blame those who are trying to get your details.

    Also @adam2484 it’s really not a very good idea to have the same password for a number of sites. Its hacks like this that make it easy to get the details of those who do.

  14. First the removal of many songs and now this. You guys is over and out… sorry but this is just so crazy. I will ensure a refund for my annual payment.

  15. It is fascinating to see that so many writing comments here seem to be unable to read what actually has happened.

    As far as I am concerned, I have complete confidence in the efforts of the staff at Spotify. Now I registered later than December 20th, but still, even I hadn’t, the risk of my password being exposed is almost zero. We are talking about hashes here, not passwords in plain text.

    Hang those who should be hanged – the people breaching the security and those who might be interested in using your personal data and passwords.

    Keep up the good work Spotify! I am happy I paid for the service, and I have ahd no reason to regret it yet.

  16. holder of domain **

    Detaljerad information om kontakten

    Kontakt-ID svafrv0703-00001
    Namn Svartholm Warg Per ‘Gottfrid’
    Företag –
    Organistionsnummer [SE]841017-0537
    Adressrad 1 Box 1206
    Adressrad 2
    Adressrad 3 –
    Postnummer 11479
    Stat eller provins –
    Ort Stockholm

  17. spotify is getting worse and worse. don’t you know once you lost trust you’ll hardly get it back?

    Well you lost mine.

    Instant, simple and free…. and fucking unsecure!

    Do your job before you release a product like that.

  18. @lofy: Did you even bother to read what they had to say? Some people commenting here seem to be sponsored by the competitors…

  19. As some people already said. I don’t remember when my account were created. How can I see this??

  20. jolllen – We have emailed all the users who registered before that date but if you’re still unsure then updating your password once and awhile is always a good idea.

  21. This is really low risk for the users in question. Most of the complainants don’t seem to understand the issue or implications.
    Top marks to the Spotify team on their full and frank disclosure of what happened (albeit without the source of the info). Also, well done to Spotify for storing hashed rather than 2 way encrypted or plain text passwords.

  22. @fewmanchu: I did ready what they were saying, did you?

    In my opinion the security standards of the protocols used by Spotify seem to haven’t been high enough too keep the password hashes safe.

    But anyways, it doesn’t matter _how_ someone could bruteforce passwords, the point is, it _has been_ possible.

    What would you say if this had taken place on iTunes? Would you like the the fact that everyone, knowing your username ,to be able to bruteforce your password and do everything he wants with your account for a periode of two months, without you knowing it? I wouldn’t…

    Spotify told everyone, ok that’s good, but:

    – Such a breach shouldn’t happen
    – If it happens, it shouldn’t take them two months to find the problem (they even haven’t found this one by their own. What would have happened if noone would have told them?)

  23. If I read the post right it seems like a really stupid misstake. A protocol should not rely on obfuscation for security. Just the user name should never be enough to retreive all stored user info. This sounds more like a design flaw or code that should never have been written than a genuine bug.

    Now for the security aspect this isn’t very serious since the passwords were salted.

    Never trust that because you have not heard about anyone reverse engineering your protcol yet that nobody ever will. Secureity through obscurity is not security.

  24. @charleymot what I am saying is that it is completely unacceptable that “[Spotify] had only become aware of the attack after receiving a message from the hackers.” –

    Why aren’t Spotify running their own checks for security breaches? For a service now with over a million users, I am concerned that it takes an incident like this to alert them to the importance of regulary security checks.

    I understand and appreciate that the details are not stored in plain text format and are suitably encrypted, but it concerns me greatly that simple security checks are not being done.

  25. Kan någon i korthet förklara på svenska vad som behövs göras.

    Jag kan engelska hjälpligt, men detta var ganska mycket info och en hel del förstod jag inte. Jag är nog inte ensam om det.

    Jag har bytt lösenord, räcker det ???

  26. Wow. A lot of whingers. Those who are possibly affected were sent alerts. If you didn’t get one you should be in the clear. But Jesus Tap Dancing Christ go and change your password anyway. Is that hard? And enough of this ‘you should have seen the hole’. How were they to do that? Are we claiming shit never happens? Ridiculous. And childish. Spotify deserve kudos for getting to the gritty of the hole immediately. And for publishing detailed info.

  27. Hoe can you praise Spotify for their opennes?

    It’s been damage containment, hasn’t it? If Sptofy hadn’t brought this to the public, the people behind this all would have done so. In that case Spotify would have been hurt much worse than now.

  28. You have my full support anyhow. This is regularity amongst major websites & companies which has a good concept. Good thing to store all the vital credentials such as credit cards on a 3rd party though.

  29. Just goes to show, some of you dickheads will whine and complain about anything. They fixed it quickly and dealt with the aftermath well, so shut the fuck up.

  30. I have another user (my mom has it) The Heck is so I can not get it they have exchanged e-mails and all that. Do you have an answer to how I can get it back?