druidsys.com

Spotify has been attacked through a security vulnerability in the service. The vulnerability was discovered on December 19th, 2008. Now Spotify's technicans believe that the flaw is more critical than first feared and they found that the vulnerability has been used by a group of hackers. Passwords of user accounts created before December 19th might be in the wrong hands.

Apart from passwords and usernames other information might have been extracted from the database, such as e-mail addresses, birthdates and addresses. Due to this incident Spotify encourages all users to change username and password. Credit card numbers are not affected by this breach because they are not stored in Spotify's databases.

Even though this breach is a risk the probability that your password is cracked is minimal. The passwords are hashed using salted algorithms, which, if not badly implemented, will take a considerable amout of time to crack.

Change password if...

...You had a Spotify account before December 19th, 2008
...You have not changed your password since December 19th, 2008
...You have a weak password
...Someone from a small group of people asked our servers specifically to see your account details before that date
...Someone from the same small group decided to put computation time towards guessing your password

If your Spotify account was created before December 19th, 2008 you should have received an email about the issue by now, assuming that the email address you stated when registering the account was correct.