Spotify said it reset an unknown number of user passwords after a vulnerability in its systems was blamed for disclosing personal account information to its business partners.
In a privacy breach notice filed with the California attorney general, the music streaming giant said the information disclosed "may have included only certain Spotify business partners email address, your preferred display name, password, gender and date of birth." The company did not name the business partners, but added that Spotify "did not make this information publicly available".
According to Spotify, the vulnerability existed on April 9, but was not discovered until November 12. However, as with most data breach notifications, Spotify did not disclose what the vulnerability was or how user account information was disclosed.
"We conducted an internal investigation and contacted all of our business partners who may have had access to your account information to ensure that any personal information that may have been accidentally shared with them has been deleted," the letter said.
Spotify also said the company "has no reason to believe that any unauthorized use of your information has occurred or will take place," suggesting the incident is different from a separate Spotify user password incident, the last one Month, causing Spotify to reset user passwords as well.
Security researchers found an unsecured database, believed to be operated by hackers, that allegedly contains around 300,000 stolen user passwords. The database was likely used to launch credential-filling attacks that match lists of stolen passwords against different websites using the same password.
A Spotify spokesperson did not immediately respond to questions about the incident. We will update when we hear something.