Spotify user details compromised in major hack

Online music service Spotify has become the latest web firm to suffer a major hack, after revealing yesterday that criminals may have accessed user registration details.

The company said in a security notice on the site that it had been "alerted to a group that managed to compromise our protocols", and could have stolen passwords, email addresses, birth dates, gender details, post codes and billing receipt information.

Credit card details are safe, according to Spotify, as payment is handled by a third party provider.

"After investigating, we concluded that this group had gained access to information that could allow rapid testing of password guesses, possibly finding the right one," read the security notice.

"The information was exposed due to a bug that we discovered and fixed on 19 December 2008. Until last week, we were unaware that anyone had had access to our protocols to exploit it."

Spotify is urging users who signed up before 19 December to change their passwords for the site, and for any other services where they have used the same passwords.

Graham Cluley, senior technology consultant at Sophos, warned in a blog post that too many people use the same password on every web site they access.

"That's the real story here," he said. "If just one web site has a security blunder, all of your online information may be at risk."