Whenever a company publishes a blog post called something like “Important notice to our users” you should know to sit up and listen. Chances are, it’s serious and might involve the site’s security and your privacy.
That’s exactly the kind of article which has been published on Spotify’s blog today by the music streaming service’s CTO Oskar StÃ¥l:
Part of the message read:
We’ve become aware of some unauthorized access to our systems and internal company data and we wanted to let you know the steps we’re taking in response. As soon as we were aware of this issue we immediately launched an investigation. Information security and data protection are of great importance to us at Spotify and that is why I’m posting today.
Our evidence shows that only one Spotify user’s data has been accessed and this did not include any password, financial or payment information. We have contacted this one individual. Based on our findings, we are not aware of any increased risk to users as a result of this incident.
We take these matters very seriously and as a general precaution will be asking certain Spotify users to re-enter their username and password to log in over the coming days.
Sounds like we can all breath a sigh of relief that passwords, and financial information wasn’t exposed as a result of the hack. But I would feel somewhat more comforted if Spotify showed greater openness revealing what had been accessed (even if it was just one user impacted), rather than simply detailing what had not.
It appears that the blame is being pointed firmly in the direction of the service’s Android app:
As an extra safety step, we are going to guide Android app users to upgrade over the next few days. If Spotify prompts you for an upgrade, please follow the instructions. As always, Spotify does not recommend installing Android applications from anywhere other than Google Play, Amazon Appstore or https://m.spotify.com/. At this time there is no action recommended for iOS and Windows Phone users.
At the time of writing, there are no recommended iOS and Windows Phone Spotify users.
Some big questions remain.
Was there a problem with Spotify’s Android app? Did it help a hacker gain access to a Spotify user’s account? Could other Spotify customers using the company’s Android app have had their accounts put at risk because of a vulnerability?
One hopes that Spotify might share more information once it has pushed out a new version of its Android app, and plugged any remaining security vulnerabilities.