Jump to content

Spotify hackade >> byt lösen


plun

Recommended Posts

Byt lösen snarast

Dear Spotify user,

Last week we were alerted to a group that managed to compromise

our protocols. After investigating we concluded that this group

had gained access to information that could allow testing of a

very large number of passwords, possibly finding the right one.

The information was exposed due to a bug that we discovered and

fixed on December 19th, 2008. Until last week we were unaware

that anyone had had access to our protocols to exploit it.

Along with passwords, registration information such as your email

address,birth date, gender, postal code and billing receipt

details were potentially exposed. Credit card numbers are not

stored by us and were not at risk. All payment data is handled

by a secure 3rd party provider.

If you have an account that was created on or before December 19th 2008,

we strongly suggest that you change your password and strongly

encourage you to change your passwords for any other services

where you use the same password.

When choosing your password we provide you with an indicator of

the password strength to help you choose a good one. To change

your password please visit your profile page on our website.

https://www.spotify.com/en/account/profile/

For the technically minded amongst you, the information that may

have been exposed when our protocols were compromised is the

password hashes. As stated, we never store passwords, and they

have never been sent over the Internet unencrypted, but the

combination of the bug and the group's reverse-engineering of

our encrypted streaming protocol may have given outsiders access

to individual hashes.

The hashes are salted, making attacks using rainbow tables unfeasible.

Short or otherwise bad passwords could still be vulnerable to

offline targeted brute-force or dictionary attacks on individual

users, but you could not run attacks in parallel. Also, there

has been no known breach of our internal systems. A complete user

database has not been leaked, but until December 19th, 2008 it was

possible to access the password hashes of individual users had

you reverse-engineered the Spotify protocol and knew the

username.

We are really sorry about this and hope you accept our apologies.

We're doubling our efforts to keep the systems secure in order

to prevent anything like this from happening again.

Regards,

The Spotify Team

Link to comment
Share on other sites

Bra citat med mycket info men det är inte precis så jag bryr mig om mitt gratiskonto på Spotify. Är väl lite värre när dom tar typ CSN-konton och sådant.

Link to comment
Share on other sites

Bra citat med mycket info men det är inte precis så jag bryr mig om mitt gratiskonto på Spotify. Är väl lite värre när dom tar typ CSN-konton och sådant.

Jo du "pladdrar på" som vanligt och utmaningen är att många kör med samma lösen på flera ställen....

Många måste alltså byta flera lösen.... B)

Link to comment
Share on other sites

Men jag har varken samma lösenord eller samma användarnamn på CSN som på Spotify. Dom kan få brute-forca mitt lösenord hur mycket dom vill jag bryr mig inte ;) Värre för andra som kanske använder samma lösenord och samma användarnamn på allt :/

Link to comment
Share on other sites

en kommentar från despotifys källkod som förklarar det lite närmare:

	/*
 * Prepare a message to authenticate.
 *
 * Prior to the 19th of December 2008 Spotify happily told clients 
 * (including ours!) almost everything it knew about a particular
 * user, if they asked for it.
 *
 * Legitimate requests for this is for example when you addwww.li
 * someone else's shared playlist.		
 *
 * This allowed clients to see not only the last four digits of the 
 * credit card used to subscribe to the premium service, whether
 * the user was a paying customer or preferred commercials, but 
 * also very interesting stuff such as the hash computed from
 * SHA(salt || " " || password).
 *
 * In theory (HE HE!) this allowed any registered user to request
 * somebody else's user data, get ahold of the hash, and then use
 * it to authenticate as that user.
 *
 * Fortunately, at lest for Spotify and it's users, this is not
 * the case anymore. (R.I.P poor misfeature)
 *
 * However, we urge people to change their passwords for reasons
 * left as an exercise for the reader to figure out.
 *
 */

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...