en kommentar från despotifys källkod som förklarar det lite närmare:
/*
* Prepare a message to authenticate.
*
* Prior to the 19th of December 2008 Spotify happily told clients
* (including ours!) almost everything it knew about a particular
* user, if they asked for it.
*
* Legitimate requests for this is for example when you addwww.li
* someone else's shared playlist.
*
* This allowed clients to see not only the last four digits of the
* credit card used to subscribe to the premium service, whether
* the user was a paying customer or preferred commercials, but
* also very interesting stuff such as the hash computed from
* SHA(salt || " " || password).
*
* In theory (HE HE!) this allowed any registered user to request
* somebody else's user data, get ahold of the hash, and then use
* it to authenticate as that user.
*
* Fortunately, at lest for Spotify and it's users, this is not
* the case anymore. (R.I.P poor misfeature)
*
* However, we urge people to change their passwords for reasons
* left as an exercise for the reader to figure out.
*
*/