Another day, another breach. The latest to disclose that there had been some 'unauthorised access' to systems and internal company data' is music streaming service Spotify. The disclosure itself was something of an odd one, claiming that investigation suggested only a single user's data had been compromised following an issue with the Android app.

Oskar Stal, CTO at Spotify, claims that the investigation suggests no password, financial or payment information was accessed. "Based on our findings, we are not aware of any increased risk to users as a result of this incident" Stal insists, continuing "...as a general precaution will be asking certain Spotify users to re-enter their username and password to log in over the coming days" and "as an extra safety step, we are going to guide Android app users to upgrade over the next few days. If Spotify prompts you for an upgrade, please follow the instructions."

I'm with Dwayne Melancon, CTO of security specialists Tripwire, who reckons that "someone demonstrated a proof-of-concept attack for the Spotify team and that constitutes the single known affected user." It would certainly make a lot of sense, as I cannot imagine that Spotify would have issued an all-user notification of a breach had it been just a single user over-sharing login credentials. "Given that Spotify claims that only one user’s data has been compromised" Melancon says "I suspect this was achieved via a re-usable, broadly applicable attack method perhaps affecting older versions of the Spotify app." Which would tie in with the Spotify advice for Android users to update to a newer version.

Ross Brewer, vice president at LogRhythm, adds "while this Spotify attack appears to be relatively minor in terms of customer impact, particularly when compared to last week’s eBay furore, it still raises questions about how equipped these companies are to keep our personal information safe. Spotify’s statement makes no reference to when the compromise was discovered, simply that it acted immediately. Before the EU initiates 24 hour breach disclosure laws for all sectors, all businesses should be following this lead to proactively reassure customers."

88 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

<M/> 170

Wow... a lot of major companies are getting hacked now a days... Target, Ebay, and so on. I even heard of someone writing about 100 hackers get arrested for creating a malware just recently.

Good article!