Spotify warns of unauthorized access to its systems, after Android user hacked

Whenever a company publishes a blog post called something like “Important notice to our users” you should know to sit up and listen. Chances are, it’s serious and might involve the site’s security and your privacy.

That’s exactly the kind of article which has been published on Spotify’s blog today by the music streaming service’s CTO Oskar StÃ¥l:

Part of the message read:

We’ve become aware of some unauthorized access to our systems and internal company data and we wanted to let you know the steps we’re taking in response. As soon as we were aware of this issue we immediately launched an investigation. Information security and data protection are of great importance to us at Spotify and that is why I’m posting today.

Our evidence shows that only one Spotify user’s data has been accessed and this did not include any password, financial or payment information. We have contacted this one individual. Based on our findings, we are not aware of any increased risk to users as a result of this incident.

We take these matters very seriously and as a general precaution will be asking certain Spotify users to re-enter their username and password to log in over the coming days.

Sounds like we can all breath a sigh of relief that passwords, and financial information wasn’t exposed as a result of the hack. But I would feel somewhat more comforted if Spotify showed greater openness revealing what had been accessed (even if it was just one user impacted), rather than simply detailing what had not.

It appears that the blame is being pointed firmly in the direction of the service’s Android app:

As an extra safety step, we are going to guide Android app users to upgrade over the next few days. If Spotify prompts you for an upgrade, please follow the instructions. As always, Spotify does not recommend installing Android applications from anywhere other than Google Play, Amazon Appstore or At this time there is no action recommended for iOS and Windows Phone users.

At the time of writing, there are no recommended iOS and Windows Phone Spotify users.

Some big questions remain.

Was there a problem with Spotify’s Android app? Did it help a hacker gain access to a Spotify user’s account? Could other Spotify customers using the company’s Android app have had their accounts put at risk because of a vulnerability?

One hopes that Spotify might share more information once it has pushed out a new version of its Android app, and plugged any remaining security vulnerabilities.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment