[Elessar]

Why is everyone jumping to blame Spotify for maliciousness? All I see is that they have a bug where they instantly assume emails = Facebook login. Then they try logging in using that email, and because this user reuses passwords, it works.

It takes two to Tango, but I see incompetence on both sides rather than maliciousness.

[wubbfindel]

It's not a "bug" if they specifically ask the user for their "facebook email" or their "spotify username" - which of course they do!

So if the user provides their facebook email and the correct password to match, which this user did, the correct behaviour is to log the user in via facebook. Which of course Spotify did.

No bug there. I'd say that this is mostly user error - but possibly Spotify could make it more obvious.

[jimzvz]

So reactivating the facebook account and adding the app to the facebook account without the user agreeing to either is fine for you?

[wubbfindel]

I would argue that the user did agree to that when they provided Spotify with their facebook email AND the correct password.

But, as I said before, Spotify could make this clearer.

Also see this comment: http://news.ycombinator.com/item?id=5267040

[ActVen]

I never used the word malicious. I used the word "behavior". Behavior encapsulates incompetence, poor design, maliciousnesses, etc. I don't presume to know what was the behind the implementation...I just don't think it should be tolerated.