If this type of behavior continues to be tolerated by users, the entire industry will suffer the backlash at some point. A few companies using obfuscated or unclear defaults will make it more likely that the government will bring down heavy legislation on all companies.
Why is everyone jumping to blame Spotify for maliciousness? All I see is that they have a bug where they instantly assume emails = Facebook login. Then they try logging in using that email, and because this user reuses passwords, it works.
It takes two to Tango, but I see incompetence on both sides rather than maliciousness.
It's not a "bug" if they specifically ask the user for their "facebook email" or their "spotify username" - which of course they do!
So if the user provides their facebook email and the correct password to match, which this user did, the correct behaviour is to log the user in via facebook. Which of course Spotify did.
No bug there. I'd say that this is mostly user error - but possibly Spotify could make it more obvious.
I never used the word malicious. I used the word "behavior". Behavior encapsulates incompetence, poor design, maliciousnesses, etc. I don't presume to know what was the behind the implementation...I just don't think it should be tolerated.
