[steptoe]

has anyone else had an email alert about a possible account comprimise

Dear Spotify user,

Last week we were alerted to a group that managed to compromise
our protocols. After investigating we concluded that this group
had gained access to information that could allow testing of a
very large number of passwords, possibly finding the right one.
The information was exposed due to a bug that we discovered and
fixed on December 19th, 2008. Until last week we were unaware
that anyone had had access to our protocols to exploit it.

Along with passwords, registration information such as your email
address,birth date, gender, postal code and billing receipt
details were potentially exposed. Credit card numbers are not
stored by us and were not at risk. All payment data is handled
by a secure 3rd party provider.

If you have an account that was created on or before December 19th 2008,
we strongly suggest that you change your password and strongly
encourage you to change your passwords for any other services
where you use the same password.

When choosing your password we provide you with an indicator of
the password strength to help you choose a good one. To change
your password please visit your profile page on our website.

************************
LINK DELETED IN JUST IN CASE
************************
For the technically minded amongst you, the information that may
have been exposed when our protocols were compromised is the
password hashes. As stated, we never store passwords, and they
have never been sent over the Internet unencrypted, but the
combination of the bug and the group's reverse-engineering of
our encrypted streaming protocol may have given outsiders access
to individual hashes.

The hashes are salted, making attacks using rainbow tables unfeasible.
Short or otherwise bad passwords could still be vulnerable to
offline targeted brute-force or dictionary attacks on individual
users, but you could not run attacks in parallel. Also, there
has been no known breach of our internal systems. A complete user
database has not been leaked, but until December 19th, 2008 it was
possible to access the password hashes of individual users had
you reverse-engineered the Spotify protocol and knew the
username.

We are really sorry about this and hope you accept our apologies.
We're doubling our efforts to keep the systems secure in order
to prevent anything like this from happening again.

Regards,
The Spotify Team

OR IS THIS A SCAM

[sunnybacon]

I was just about to post this as well, I just got the email.
I keep trying the Spotify website but it seems to be down.
Not sure what to do now, should I keep trying to change my password or not

[Iccz]

Any chance of a from email address?

I didn't get one.

[sunnybacon]

It was something like spotify@spotify.com
However I know emails can be faked with websites like Free Fake Email - Send Fake Mail Pranks Anonymously for Free (great for pranks )
I can't see the harm in changing my password though, so I'm gonna do it just to be safe.

[steptoe]

no email address on mine just, spotify and subject spotify security notice

[Iccz]

Quote:

Originally Posted by sunnybacon

It was something like spotify@spotify.com
However I know emails can be faked with websites like Free Fake Email - Send Fake Mail Pranks Anonymously for Free (great for pranks )
I can't see the harm in changing my password though, so I'm gonna do it just to be safe.

Yeah no harm in a password change, strange I never got one though
If the link is to their site, or if you just log in normally and change it there, then you'll be fine.

However fakesend isn't clean when it sends.
If it was from there and you have a proper look into the email and headers etc you'd see:

Quote:

smtp.mail=spotify@spotify.com Received: from localhost ([127.0.0.1] helo=fakesend.com)

[timothyw]

Just noticed this thread, it was a genuine email, you can read about it on the spotify blog which is now up here:
Spotify

[plazmoid]

Also reported on the BBC.