Another day, another breach. The latest to disclose that there had been some 'unauthorised access' to systems and internal company data' is music streaming service Spotify. The disclosure itself was something of an odd one, claiming that investigation suggested only a single user's data had been compromised following an issue with the Android app.
Oskar Stal, CTO at Spotify, claims that the investigation suggests no password, financial or payment information was accessed. "Based on our findings, we are not aware of any increased risk to users as a result of this incident" Stal insists, continuing "...as a general precaution will be asking certain Spotify users to re-enter their username and password to log in over the coming days" and "as an extra safety step, we are going to guide Android app users to upgrade over the next few days. If Spotify prompts you for an upgrade, please follow the instructions."
I'm with Dwayne Melancon, CTO of security specialists Tripwire, who reckons that "someone demonstrated a proof-of-concept attack for the Spotify team and that constitutes the single known affected user." It would certainly make a lot of sense, as I cannot imagine that Spotify would have issued an all-user notification of a breach had it been just a single user over-sharing login credentials. "Given that Spotify claims that only one user’s data has been compromised" Melancon says "I suspect this was achieved via a re-usable, broadly applicable attack method perhaps affecting older versions of the Spotify app." Which would tie in with the Spotify advice for Android users to update to a newer version.
Ross Brewer, vice president at LogRhythm, adds "while this Spotify attack appears to be relatively minor in terms of customer impact, particularly when compared to last week’s eBay furore, it still raises questions about how equipped these companies are to keep our personal information safe. Spotify’s statement makes no reference to when the compromise was discovered, simply that it acted immediately. Before the EU initiates 24 hour breach disclosure laws for all sectors, all businesses should be following this lead to proactively reassure customers."