The most credible free online music service lately, Spotify, has issued a warning to its customers in a stern and detailed "security notice" posted on its website.
Spotify reveals that a team of hackers could have used a vulnerability to compromise the Spotify protocols which are used to stream music to subscribers.
In a nutshell, the criminals have had access to the password hashes which, once reverse-engineered and through the bug, would have allowed outsiders to get access to individual hashes.
They were keen to stress that no one has had access to the protocols until last week to exploit it but said that "Along with passwords, registration information such as your email address, birth date, gender, postal code and billing receipt details were potentially exposed".
Credit card details, which are used to buy premium Spotify package, are handled by a third party company that's not involved. Spotify urges users who have created an account on or before the 19th of December 2008 to change their passwords and other services where they use the same password.
The hashes, the post adds, "are salted, making attacks using rainbow tables unfeasible. Short or otherwise bad passwords could still be vulnerable to offline targeted brute-force or dictionary attacks on individual users, but you could not run attacks in parallel." In layman's word, it means that each hash contained a piece of random bit which makes dictonary attacks even more difficult.
Most importantly though, the complete user database has not been leaked according to the company although it was possible to the criminals to match passwords with usernames.
Go To Page 2 for our comments and more related links
Spotify had recently reached the one million user milestone and managed to sign up big names like T-Mobile, Vodafone and Nissan. The company and its investors will surely be worried about the potential PR disaster that could be brewing in the next few days.