Forgot your password?
typodupeerror
Security Music

Spotify Announces Single User Hacked, No Personal Data Stolen 50

Posted by Soulskill
from the if-you're-going-to-have-a-data-breach,-this-is-a-good-way-to-do-it dept.
An anonymous reader writes "On the Spotify company blog, CTO Oskar Stål apologized to users and said there has been a security breach at Spotify, where some systems and internal company data was accessed without permission. Evidence given suggests only one Spotify user's account was accessed and that no security or payment information was taken. As a security step, Spotify has announced they are releasing an updated Android application over the coming days, as well as requiring some users to re-enter their login details."
This discussion has been archived. No new comments can be posted.

Spotify Announces Single User Hacked, No Personal Data Stolen

Comments Filter:
  • by Anonymous Coward

    the evil hackers may find out that I like listening to Prince or Hanson! that would be humiliating!

  • by Isca (550291) on Tuesday May 27, 2014 @02:43PM (#47101443)
    1 account only was hacked? This sounds like someone who was trying to prove that a flaw exists in their security. I'm guessing there is more to this story to come - this sounds like they are setting things up to go after this 'hacker'' that caused the security breach. If it was someone trying to do something malicious there would be more accounts pulled. Even if it was someone who was just curious to see if they could do it wouldn't have just stopped at one but someone who is trying to playing the role of a white hat would potentially only do this on one single account. I'll be really disappointed if that's what it turns out to be and Spotify decides to prosecute.
    • by Charliemopps (1157495) on Tuesday May 27, 2014 @03:13PM (#47101711)

      1 account only was hacked? This sounds like someone who was trying to prove that a flaw exists in their security.

      I'm guessing there is more to this story to come - this sounds like they are setting things up to go after this 'hacker'' that caused the security breach. If it was someone trying to do something malicious there would be more accounts pulled. Even if it was someone who was just curious to see if they could do it wouldn't have just stopped at one but someone who is trying to playing the role of a white hat would potentially only do this on one single account.

      I'll be really disappointed if that's what it turns out to be and Spotify decides to prosecute.

      Or the person hacked was a high level employee who had the same password for his music account as he did for his corporate account. Keys to the kingdom and all...

  • by rnswebx (473058) on Tuesday May 27, 2014 @02:44PM (#47101453)

    I had my account 'hacked' and the email address changed. I went through a few days of email exchanges with Spotify support before they would restore access. I've had an account since before FB authentication, but I still have a difficult time believing mine is the only one...

    • Password guessing and hacking into their systems are two very different things.

      • by rnswebx (473058)

        Sure, I suppose it's possible to guess my password, but it's very unlikely. Definitely not in any dictionary, upper case, lower case, numbers, and symbols. If I were a betting man, I'd bet the whole retirement account that my password wasn't guessed.

  • Could be that the hacker was just trying to clean up their own, embarrassing listening history.
  • by MyLongNickName (822545) on Tuesday May 27, 2014 @02:51PM (#47101549) Journal

    As Spotify's DBA, I personally reviewed the log from the hacking session. There was only 1 user that appeared in the SQL query... strange guy with "*" as his username (no quotes) and he kept showing up in the SELECT queries.

  • by GoddersUK (1262110) on Tuesday May 27, 2014 @07:25PM (#47103381)
    http://i.imgur.com/b4DHe4z.png [imgur.com] The timing couldn't have been better. (In fact, perhaps the hack was someone taking this too literally?)
  • I wouldn't be surprised if this is in part a way of ensuring that all data breach notification law requirements are met by broadcasting the notification in such a way that no agency or person can claim to have not been aware (even if they claim they didn't receive notification directly).

Whoever dies with the most toys wins.

Working...