Spotify Android Application at Issue in Breach

Streaming music service Spotify reported a breach of its systems and data, and said updates will be limited to only its Android application.

Users of Spotify on Android will soon be asked to update the application after a breach was reported this morning by the streaming music service’s chief technology officer.

Oskar Stal wrote on the company’s website that the company is investigating unauthorized access to its systems and internal company data. He also wrote that certain users will be asked to reset their passwords.

“Our evidence shows that only one Spotify user’s data has been accessed and this did not include any password, financial or payment information,” Stal said. “We have contacted this one individual. Based on our findings, we are not aware of any increased risk to users as a result of this incident.”

Spotify is limiting updates to only its Android users and is not recommending any action for iOS and Windows Phone users.

Android users will be prompted to upgrade in the coming days

Android users will be prompted to upgrade in the coming days, Stal said.

Spotify head of U.S. communications Graham Jones would not answer questions via email as to why only the Android application was being updated, why only one user was reportedly affected, whether the user’s app was downloaded from Google Play or a third party, or when the attack was discovered.

“We’re not going into any further detail beyond what is on the blog post,” Jones said.

Spotify, which recently announced it had 10 million global subscribers, has had a fairly tranquil security reputation. Its last publicly reported security incident was almost 13 months ago when a new Google Chrome plug-in at the time allowed users to download copies of songs for free.

The extension, known as Downloadify, was pulled from the Chrome Web Store almost immediately. The plug-in exploited a vulnerability in the company’s Web-based player. A user could take advantage of it to download an MP3 of the song as it started playing. The vulnerability allowed a bypass of the file’s digital rights management protection. Copies of the plug-in were also found on third party sites, including GitHub.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.