Spotify warns of data breach

Music-streaming service Spotify is the latest high-profile online service that has had to admit that it has been hit by a data breach

Music-streaming service Spotify is the latest high-profile online service that has had to admit that it has been hit by a data breach.

But the Swedish company said only one user’s data had been accessed and this did not include any password, financial or payment information.

“Based on our findings, we are not aware of any increased risk to users as a result of this incident,” chief technology officer Oskar Stål said in a notice on the Spotify website.

“We take these matters very seriously and as a general precaution will be asking certain Spotify users to re-enter their username and password to log in over the coming days,” he added.

As an extra safety step, Spotify said Android app users should upgrade to the latest version from the Google, Amazon and Spotify app stores, but no action is required by iOS and Windows Phone users.

Spotify said that since the breach it has taken steps to strengthen its security systems in general and help protect user data. It said it would take further action in the coming days to increase user security.

In 2009, the music service was forced to notify users that their details, including encrypted passwords, may have been exposed when its systems were breached due a vulnerability caused by a software bug.

Spotify has received praise for its prompt notification of users, unlike eBay, which has come under fire for failing to notify anyone for two weeks after a major data breach was confirmed and took a further week to tell users to change passwords.

“Spotify has done the right thing by responding so quickly and thoroughly, even though it seems just a single user was affected,” said Keith Bird, UK managing director for security firm Check Point. “This way, it has alerted its user base about what has happened, and how it plans to upgrade its security to better protect users’ details.”

Bird noted that it would have been easy for Spotify to quietly issue a software update to address the issue without informing subscribers about the breach.

“But they have taken a responsible approach and I think people will welcome this,” he said. “It will certainly help to ensure that more users apply the upgrades when they are available.”

While the breach was small, Dwayne Melancon, chief technology officer at security firm Tripwire, said it indicated basic security flaws that affect all users.

“Had this been as simple as one user over-sharing their login credentials, it would not warrant an all-user notification,” he said, in an emailed statement. 

“Given that Spotify claims that only one user's data has been compromised, I suspect this was achieved via a re-usable, broadly applicable attack method, perhaps affecting older versions of the Spotify app,” he added.

“My guess would be that someone demonstrated a proof-of-concept attack for the Spotify team and that constitutes the single known affected user.”

He advised users, particularly on the Android platform, to follow Spotify’s recommendation and ensure they are running up-to-date software.


Read more on Privacy and data protection