Popular online music service Spotify has warned of a security breach that may have exposed user passwords and other sensitive data.

A notice - posted on Wednesday - explains that a bug in Spotify's protocols that was recognised and resolved in December was more serious than first suspected. Last week Spotify learned that a group of hackers had managed to compromise its protocols as a result of this (now resolved) vulnerability.

This, in turn, meant that password hashes of individual users was exposed, though not in an easy to decrypt form. Even so if particular users had used weak passwords then the breach meant these password could be extracted using a brute-force attack, Spotify explains.

The hashes are salted, making attacks using rainbow tables unfeasible. Short or otherwise bad passwords could still be vulnerable to offline targeted brute-force or dictionary attacks on individual users, but you could not run attacks in parallel. Also, there has been no known breach of our internal systems. A complete user database has not been leaked, but until 19 December, 2008 it was possible to access the password hashes of individual users had you reverse-engineered the Spotify protocol and knew the username.

Although credit card details were not exposed a lot of sensitive information was, Spotify adds.

Along with passwords, registration information such as your email address, birth date, gender, postal code and billing receipt details were potentially exposed. Credit card numbers are not stored by us and were not at risk. All payment data is handled by a secure third party provider.

The common habit of using the same password and username combo on many sites means the effects of the breach extend beyond Spotify. The site advises users to change their password across the board, where accounts were registered prior to 19 December and the same password was used on multiple sites. ®

Related stories

• Spotify splattered with malware-tainted ads (25 March 2011)

  https://www.theregister.com/2011/03/25/spotify_malvertisement_attack/

• Microsoft apes Spotify with ad-stuffed tune streaming (15 July 2009)

  https://www.theregister.com/2009/07/15/microsoft_does_a_spotify/

• The Great Spotify Mystery (18 May 2009)

  https://www.theregister.com/2009/05/18/spotify/

• Last.fm goes payware (25 March 2009)

  https://www.theregister.com/2009/03/25/lastfm_paywall/

• Nature security breach prompts password reset (12 March 2009)

  https://www.theregister.com/2009/03/12/nature_password_breach/

• Fraud linked to US payment processor breach (25 February 2009)

  https://www.theregister.com/2009/02/25/payment_processor_breach/

• US feds pull travel site offline after hacker break-in (19 February 2009)

  https://www.theregister.com/2009/02/19/govtrip_remains_down/

• ISP music for 'older than iPod gen' users (16 February 2009)

  https://www.theregister.com/2009/02/16/sky_omnifone/

• Kaspersky breach: No user info lifted, auditor confirms (13 February 2009)

  https://www.theregister.com/2009/02/13/kaspersky_auditor_report/

• Spotify: We kick the tyres (12 February 2009)

  https://www.theregister.com/2009/02/12/spotify_review/

• Saving ISPs and the music biz: Is it even worth it? (28 January 2009)

  https://www.theregister.com/2009/01/28/isps_music_business/

• Monster.com suffers database breach deja vu (24 January 2009)

  https://www.theregister.com/2009/01/24/latest_monster_security_breach/

• US credit card payment house breached by sniffing malware (20 January 2009)

  https://www.theregister.com/2009/01/20/heartland_payment_breach/