In the midst of its popular Spotify Wrapped 2020 playlist rollout of the year’s most popular songs, the streaming service is grappling with a security breach, which affected the pages of some of its biggest stars, including Lana Del Rey, Dua Lipa, Future, Pop Smoke and others.
Spotify is the most popular music streaming service in the world with 320 million users, according to the company.
The target of the attack, according to the BBC, was a Spotify site specifically for musicians and their labels, called Spotify for Artists. The site is password-protected to allow only artists and their teams to make changes to the pages. The attacker seemingly bypassed those protections.
The malicious actor called himself “Daniel” and used the pop stars’ pages to ask people to follow him on Snapchat, adding “Trump 2020,” to the message. Daniel also used the stunt to pledge his love to one pop star in particular: “Best of all shout out to my queen Taylor Swift,” he wrote.
Users shared images of the hijacked pages on Twitter, including this one for Lana Del Rey where Daniel swapped out Lana’s photo for Taylor’s.
Future’s Spotify page featured what is presumably a pic of Daniel listening to Pop Smoke’s page. Images of both takeovers were posted to Twitter by users who generally thought the scam was more funny than dangerous.
The pages appear to have been restored, but Spotify has not responded to requests for comment to confirm that the breach is contained.
Tim Mackey, who is a principal strategist with Synopsys, warned users to take breaches like these seriously — even if their mastermind is a teen punk motivated by a crush on Taylor Swift.
“While the details of what weaknesses in Spotify’s security practices remain unknown, the attack highlights an important aspect of all cyberattacks – the attackers define the rules of their attack,” Mackey said. “In this case, vandalism is an obvious component, but it could also be but one aspect of their ultimate goal.”
Mackey said that due to the lack of information from Spotify about the breach, users should review their passwords and security protections for the app.
Reports of the breach came on the same day the streaming service announced its popular 2020 Wrapped list of the most popular songs and podcasts streamed this year, meaning that one of it’s most high-profile annual promotions will have to compete with headlines about the security lapse. The news also comes hard on the heels of account-takeover reports last week. It is a situation Mackey said should serve as a teachable moment for businesses in any sector.
“Businesses seeking to learn from this incident should ask themselves how quickly they would be able to identify if they had fallen victim to a similar defacement effort,” Mackey advises. “If the answer isn’t affirming, then a review of audit and monitoring practices is in order, along with a review of incident-response planning.”
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and other security experts, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.
