Spotify is partnered with a company who are leaking customer data
I recently created a Merchbar account after following a link from the Spotify app.
I used a one off disposable email address unique to Merchbar, and generated a long random password via LastPass. My account is as secure as it can be.
I added some vinyl records (and only vinyl) to my shopping cart, and then abandoned it when I saw the exhorbitant shipping fees. I never entered any credit card details. After walking away from Merchbar, I never went back.
Fast forward a few weeks, and I get an email to my merchbar disposable email saying that my order (of a pint glass; not my original order) has shipped. The shipping was to my address, but the payment wasn't from me. Merchbar wouldn't explain how this happened, but said they had contacted the third party reseller to cancel the order.
To be clear: I did not place this order, but it was proccessed using my personal details.
Merchbar support asked me to change my password (which I did), but this is clearly not a security problem (what hacker breaks into someones account to ship them a pint glass?!)
Fast forward another two weeks and the pint glass arrives at my door step; sent from a company I had never heard from, with all of my personal details included in the shipping and invoice details.
Spotify, you are partnered with a company that is doing nothing to secure the private data of its/your customers.
I'm posting this in the hope of raising awareness, and to warn any users who see this.
Do not follow the Merchbar links in the app and do not give them your details.