If you’re a regular Spotify user, you might remember having to reset your password back in July. The reason: a massive breach of login credentials, discovered on a third-party server by a security research firm. Spotify says it performed a “rolling reset” of accounts in order to protect users.
The leak was discovered by vpnMentor and disclosed publicly yesterday, after being reported to Spotify itself back in July. The service reset an unknown number of passwords in order to protect affected users, most of which will have been completed by now. The researchers said they discovered a 72 gigabyte cache of unencrypted information, which included approximately 300,000 email addresses, login IDs, and passwords for Spotify users.
The data was on a third-party server, not in possession of Spotify at the time, and almost certainly obtained illegally. It’s a big leak, but a relatively tiny fraction of Spotify’s hundreds of millions of worldwide users. Note that if your password was reset, it only protects your Spotify account. If you’ve used the same login and password on other sites (you’re not still doing that, are you?) that data might still be out in the wild.