Spotify forces more password resets after plugging a security hole

The bug had shared user information with the company's partners.

If you use Spotify, you’ll want to keep an eye on your email inbox to see if you get a message prompting you to change your login credentials. The company told TechCrunch it recently reset the passwords of a small subset of its users after a software oversight exposed private account information to some of its business partners.

In a filing with California’s attorney general office, Spotify said a person’s email address, display name, password, gender and date of birth may have been exposed as a result of the vulnerability. Spotify didn’t say what companies may have seen the information, but it does note that it got in touch with them to ask them to delete the data as soon as possible. It discovered the vulnerability on November 12th, 2020, but suspects it had existed since April 9th, 2020.

"A very small subset of Spotify users were impacted by a software bug, which has now been fixed and addressed. Protecting our users’ privacy and maintaining their trust are top priorities at Spotify,” a spokesperson for the company told Engadget. “To address this issue, we issued a password reset to impacted users. We take these obligations extremely seriously."

Spotify hasn’t found any evidence to suggest there’s been unauthorized use of anyone’s personal information. The company was also quick to note this exposure isn’t related to the one that happened last month. If you get a message from the company and you reused your previous Spotify password anywhere else, it recommends you go to those websites and change your password as soon as possible.