Spotify said it has reset an undisclosed number of user passwords after blaming a vulnerability in its systems for exposing private account information to its business partners.
In a data breach notification filed with the California attorney general’s office, the music streaming giant said the data exposed “may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify.” The company did not name the business partners, but added that Spotify “did not make this information publicly accessible.”
Spotify said the vulnerability existed as far back as April 9 but wasn’t discovered until November 12. But like most data breach notices, Spotify did not say what the vulnerability was or how user account data became exposed.
“We have conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted,” the letter read.
Spotify also said that the company has “no reason to believe that any unauthorized use of your information has or will occur,” suggesting the incident is different from a separate incident involving Spotify user passwords disclosed last month, which prompted Spotify to also reset user passwords.
Security researchers found an unsecured database, likely operated by hackers, allegedly containing around 300,000 stolen user passwords. The database was probably used to launch credential stuffing attacks, in which lists of stolen passwords are matched against different websites that use the same password.
A spokesperson for Spotify did not immediately respond to questions about the incident. We’ll update if we hear back.