Without going into further details, Spotify has announced that it has reset a number of user passwords after discovering a potentially worrying software vulnerability. Indeed, the Swedish giant discovered that certain partner companies could easily access the personal data of certain users. In a letter addressed to the office of the Attorney General of California, Spotify explains that the identity, sex, date of birth, or even the password of these users were accessible.
An internal investigation has been opened.
The streaming platform had the intelligence to react very quickly by immediately sending an email to the potential users concerned to inform them of the situation and that their password had been reset. However, it is important to clarify that this vulnerability dates back to April 9 and was not closed until November 12. Spotify is still very elusive about this event, we do not know precisely the number of users, nor which partner companies are concerned. The Stockholm-based company has however contacted all of its partners asking them to please delete any personal data in their possession. At the same time, an internal investigation has just been opened to try to find out more?
Spotify is going through a complicated period, especially with regard to the management of its user data. At the end of November, a company specializing in cybersecurity got hold of a totally free access server which contained more than 300 million personal data belonging to users of the music platform. Its headquarters being in Europe, this can most certainly fall under the scope of the GDPR, therefore the European Commission is likely to sanction Spotify very severely.
In France, the Carrefour group was recently singled out by the CNIL for numerous violations, many of which refer to the GDPR. Carrefour had to pay a fine of 3 million euros and invest to regularize the situation.