March 05, 2009, 8:12 AM — Spotify, an online music service still in beta, posted a blog entry revealing that they'd discovered a flaw in their security routines:"After investigating we concluded that this group had gained access to information that could allow rapid testing of password guesses, possibly finding the right one."
While it doesn't sound like a wholesale breach, and Spotify assures its users that they don't store credit card data, they do say "Along with passwords, registration information such as your email address, birth date, gender, postal code and billing receipt details were potentially exposed."
An 'updated' post, also from March 4th, states:
To clarify, your password is at risk only if all of the following apply:
- You had a Spotify account before December 19th, 2008
- You have not changed your password since December 19th, 2008
- You have a weak password
- Someone from a small group of people asked our servers specifically to see your account details before that date
- Someone from the same small group decided to put computation time towards guessing your password
The bug that allowed the breach was fixed on December 19th, 2008, so one wonders why the blog entry announcing the issue wasn't posted until March 4th, 2009? Perhaps because that's when The Guardian ran an article about the issue? Hackers break in to Spotify
It is always bad news when a company has to report that personal data has been compromised. But waiting months to announce the issue (and then apparently only doing so because another site 'outed' you)? That's just going to create bad blood with your users.