大象传媒

bbc.co.uk Navigation

Rory Cellan-Jones

Spotify's security bloomer

  • Rory Cellan-Jones
  • 5 Mar 09, 09:05 GMT

Well now we know that the streaming music service Spotify is a grown-up web company - it's just had its first security disaster. Last night I was among those subscribers who got a rather worrying email. It warned that a group had managed to "compromise our protocols" and had gained access to information. In other words, hackers had found a back door open to Spotify and had got their sticky fingers all over its filing system.

Rory Cellan-Jones at Spotify officesThe data at risk included our passwords, plus "your email address, birth date, gender, postal code and billing receipt details." Fortunately, credit card details are not stored by Spotify so were not at risk. But the company strongly advised its users to change their passwords for Spotify - and for anything else where they use the same password. For some people who can never think of anything other than their dog's name when signing up to a new web service that is going to mean a lot of work.

By coincidence, I was involved yesterday afternoon in a long discussion about Spotify on Radio 5 Live's Simon Mayo show, which included Daniel Ek, the company's founder, on the line from Stockholm. Amongst other things, we learned that Bono hadn't heard of Spotify - where U2's new album was previewed - until told about it by Simon on last Friday's show, and that Daniel Ek still buys vinyl from time to time because it offers better quality than his online music.

What Mr Ek never breathed a word about was the security breach - but I notice that the blog post about the issue went up on the Spotify site at 16.31 on Wednesday, just half an hour after we came off air. Surely Daniel Ek knew about the issue before he went on 5 Live - and could have taken the opportunity to reassure subscribers?

Late on Wednesday, Spotify put up a in which it says only a small number of people could actually be at risk of having their passwords stolen. While some subscribers praised the company for its openness, others were not impressed, like this one :"Your server's been overloaded when you could have given that detail and calmed everyone down. Very not clever."

Spotify will survive this crisis - and hopefully learn from it - because it is already proving a hugely useful service to more than a million music lovers. But, remember, most of its users are getting their music for free on the ad-supported service. Despite the reassurance that no credit card details were at risk, this is going to make it all the harder for Spotify to persuade people to upgrade to the premium service - and start making serious money. And that really would be "very not clever."

Comments

  • Comment number 1.

    Dog's name? 60+ and counting. If anyone out there can really truly provide a safe password service for grandma at no cost (OK - 10p) they will clean up.

    Complain about this comment (Comment number 1)

  • Comment number 2.

    @Travelling1: OpenID, and at no cost, we just need to push for universal adoption.

    Complain about this comment (Comment number 2)

  • Comment number 3.

    Far more worrying is that most people use the same password for everything. That includes banking, work, email, so they now have that too.

    Complain about this comment (Comment number 3)

  • Comment number 4.

    I have to agree with the earlier commenter.

    The danger is that so many people use precisely the same password for every website that they access.

    The hackers only have to grab your email address and password in one place, and then they can raid your eBay, PayPal, Amazon etc accounts as well as break into your Gmail/Hotmail/Yahoo email.

    Too many websites are being sloppy about the protection of their users' credentials. More has to be done to protect individuals, and it's essential that the public learns the importance of proper password security

    Complain about this comment (Comment number 4)

  • Comment number 5.

    The old login ID and password is hardly secure these days. Many people have accidentally downloaded trojan software that logs keystrokes and can pass on such details without their knowledge.

    Blizzard recognised this as happening to people's World of Warcraft accounts and launched a cheap extra security device - a random number generator, tied to your account. Without the device, it's impossible to log in to your account.

    Some banks and private businesses use similar technology, so there are ways of having more secure logins. The trouble is, there's a cost to doing this and most organisations don't want that eating into their profit margins.

    Complain about this comment (Comment number 5)

 

This entry is now closed for comments

The 大象传媒 is not responsible for the content of external internet sites

大象传媒.co.uk