Another day, another breach. The latest to disclose that there had been some 'unauthorised access' to systems and internal company data' is music streaming service Spotify. The disclosure itself was something of an odd one, claiming that investigation suggested only a single user's data had been compromised following an issue with the Android app.

Oskar Stal, CTO at Spotify, claims that the investigation suggests no password, financial or payment information was accessed. "Based on our findings, we are not aware of any increased risk to users as a result of this incident" Stal insists, continuing "...as a general precaution will be asking certain Spotify users to re-enter their username and password to log in over the coming days" and "as an extra safety step, we are going to guide Android app users to upgrade over the next few days. If Spotify prompts you for an upgrade, please follow the instructions."

I'm with Dwayne Melancon, CTO of security specialists Tripwire, who reckons that "someone demonstrated a proof-of-concept attack for the Spotify team and that constitutes the single known affected user." It would certainly make a lot of sense, as I cannot imagine that Spotify would have issued an all-user notification of a breach had it been just a single user over-sharing login credentials. "Given that Spotify claims that only one user’s data has been compromised" Melancon says "I suspect this was achieved via a re-usable, broadly applicable attack method perhaps affecting older versions of the Spotify app." Which would tie in with the Spotify advice for Android users to update to a newer version.

Ross Brewer, vice president at LogRhythm, adds "while this Spotify attack appears to be relatively minor in terms of customer impact, particularly when compared to last week’s eBay furore, it still raises questions about how equipped these companies are to keep our personal information safe. Spotify’s statement makes no reference to when the compromise was discovered, simply that it acted immediately. Before the EU initiates 24 hour breach disclosure laws for all sectors, all businesses should be following this lead to proactively reassure customers."

Edited by happygeek: moved to where it should have been, and I thought was, posted originally

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

3 Years
Discussion Span
Last Post by <M/>

Wow... a lot of major companies are getting hacked now a days... Target, Ebay, and so on. I even heard of someone writing about 100 hackers get arrested for creating a malware just recently.

Good article!

Edited by <M/>

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.