In a security notice posted on their blog on the 4th March, Spotify announced to users that an unknown group had managed to compromise their security protocols. The breach meant that the attackers had access to information that could allow testing of a very large number of passwords, possibly finding the right one.
Spotify is an internet based music serviceSpotify are quoted as saying “Along with passwords, registration information such as your email address, birth date, gender, postal code and billing receipt details were potentially exposed. Credit card numbers are not stored by us and were not at risk. All payment data is handled by a secure 3rd party provider ”.
All users that have accounts created on or before December 19th 2008 have been advised to change their Spotify passwords and strongly encourage to change passwords for any other services using the same password.
What this means in real terms is that a hacker (or group of hackers) managed to access a detailed description of how Spofity encode and send the passwords between the browser and their server. (This is refered to as their Protocols). The passwords them selves are not actually stored on the server (or transfer over the internet) instead a special mathematical code is applied to the password within the browser to a form a complex code that only the server can understand, (this is referred to as a password hash) . It is almost impossible to convert back from a password hash to a password, so the passwords themselves have not been exposed, but hackers have been able to download these hashes. What this means is that the hackers are able to do brute force attacks, sending a every large number of possible passwords for example starting with the letter a then aa, ab, ac adding more and more letters and numbers and trying every number until 1 opens the account, they then have access to your account, unless you have changed your account before they get the chance.
The next logical step for a hacker would be to see if you have used the same name and password for other services, especially on line bank or betting accounts etc. Even itunes accounts for example were they could purchase and song to sell them on. Once exposed the account information itself may even be sold to criminal gangs for use in identity theft.
So what can you do to protect yourself from this kind of exposure? Can can try only signing up to services that you would trust to protect your information, using complex password (8 charachers or more combining numbers letters and other charachters – if possible). Not using the same password for multiple accounts and never using words or names these are easily discovered with dictionary attacks – even if you switch letters for numbers that look the same,for example s’s for 5’s).