Spotify said it has reset an undisclosed number of user passwords after blaming a software vulnerability in its systems for exposing private account information to its business partners.
The company filed a notice of breach notice with the California Attorney General.
“We deeply regret to inform you that your Spotify account registration information was inadvertently exposed to certain of Spotify’s business partners. Firstly, we want to apologize that there has been an incident,” reads the notice of breach notice.
“On Thursday, November 12th, Spotify discovered a vulnerability in our system that inadvertently exposed your Spotify account registration information, which may have included an email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify”
The data was accidentally shared due to a vulnerability in its system that existed as of April 9, 2020, but it was discovered only on November 12, 2020. Appropriate and immediate actions were then taken to correct it.
But like most data breach notices, Spotify did not say what the vulnerability was or how user account data became exposed.
“We have conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted,” the letter read.
Spotify spokesperson Adam Grossberg confirmed that a “small subset” of Spotify users are affected, but did not provide a specific figure. Spotify has more than 320 million users and 144 million subscribers.
This is the second security incident being reported for the platform recently. Spotify last month had reset passwords for some accounts after security researchers found an unsecured database that allegedly contained approximately 300,000 stolen user passwords, TechCrunch reported.
The database was likely used to launch credential stuffing attacks, in which lists of stolen passwords are compared to different websites using the same password.
Though the exposed data was not due to an incident at Spotify, the company reset the passwords for affected user accounts, as per the report.