Online music service Spotify has reacted swiftly to prevent a breach of just one of its user’s data escalating into a major incident, by releasing a new Android app.
CTO, Oskar Stål, explained in a blog post that the firm recently became aware of “some unauthorized access to our systems and internal company data”.
“Our evidence shows that only one Spotify user’s data has been accessed and this did not include any password, financial or payment information,” he added. “We have contacted this one individual. Based on our findings, we are not aware of any increased risk to users as a result of this incident.”
As a precaution, Spotify said it would be asking certain users to re-enter their user names and passwords. It has also made available a new Android app which it recommends users upgrade to.
“Please note that offline playlists will have to be re-downloaded in the new version,” added Stål. “We apologize for any inconvenience this causes, but hope you understand that this is a necessary precaution to safeguard the quality of our service and protect our users.”
Security consultant, Brian Honan, argued that Spotify’s quick reaction should be a lesson to all service providers on how to deal with security incidents.
“Although the breach appears to have only impacted one user, Spotify took the proactive steps in not just informing that user, but also making other users aware of the potential security issue and asking them to change their passwords,” he told Infosecurity.
“This should highlight to companies that when providing a service to those on mobile devices that your security should not just focus on your core systems and datacentres, but you also need to ensure the security of the apps and realise those apps could very well be installed on compromised systems.”
The speed with which Spotify dealt with the issue comes in stark contrast to eBay’s reaction to a recent major data breach. Many of its users still haven’t received an email urging them to change their passwords – a full week after the incident went public.
Dwayne Melancon, CTO of Tripwire, speculated that the Spotify incident may have been a proof-of-concept attack.
“Had this been as simple as one user over-sharing their login credentials, it would not warrant an all-user notification,” he added. “Given that Spotify claims that only one user’s data has been compromised, I suspect this was achieved via a re-usable, broadly applicable attack method perhaps affecting older versions of the Spotify app.”
Check Point UK MD, Keith Bird, also praised Spotify’s speedy response.
“It would have been easy for the company to quietly issue a software update to address the issue without informing subscribers about the breach, but they’ve taken a responsible approach and I think people will welcome this,” he said.
“It will certainly help to ensure that more users apply the upgrades when they are available.”