Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Spotify Announces Single User Hacked, No Personal Data Stolen

Soulskill posted about 2 months ago | from the if-you're-going-to-have-a-data-breach,-this-is-a-good-way-to-do-it dept.

Security 50

An anonymous reader writes "On the Spotify company blog, CTO Oskar Stål apologized to users and said there has been a security breach at Spotify, where some systems and internal company data was accessed without permission. Evidence given suggests only one Spotify user's account was accessed and that no security or payment information was taken. As a security step, Spotify has announced they are releasing an updated Android application over the coming days, as well as requiring some users to re-enter their login details."

cancel ×

50 comments

Oh the humanity! (1)

Anonymous Coward | about 2 months ago | (#47101405)

the evil hackers may find out that I like listening to Prince or Hanson! that would be humiliating!

LOL (0)

Anonymous Coward | about 2 months ago | (#47101417)

Frostsy yasdfyas PISSSSWS

But seriously, why release an update if a single user's logon was compromised? Must have had access to source code, and there must have been something stupidly hard-coded in that source code.

Re:LOL (0)

Anonymous Coward | about 2 months ago | (#47105385)

Perhaps the 'exploit' was a PoC of a much more dangerous vulnerability.

Bullshit. (0)

Anonymous Coward | about 2 months ago | (#47101425)

Evidence suggests at least one user's account was accessed.

"A few other selected people need to update their details, for, you know, random security measures..."

Thought they used Facebook for all logins? (0)

Anonymous Coward | about 2 months ago | (#47101427)

Didn't Spotify require FB authentication for all user access?

Re:Thought they used Facebook for all logins? (1)

tepples (727027) | about 2 months ago | (#47101529)

Spotify required Facebook login at first but later added its own authentication alongside Facebook's.

Re:Thought they used Facebook for all logins? (4, Informative)

marsu_k (701360) | about 2 months ago | (#47101557)

Rewriting history there - the Facebook "integration" came later, when it was released here in the Nordic countries it was just a login/pass. I don't think it was ever mandatory though? At least, as an existing customer, I've never needed to link my Spotify account to Facebook.

Re:Thought they used Facebook for all logins? (1)

marsu_k (701360) | about 2 months ago | (#47101565)

Or rather, my Facebook account to Spotify. Anyway.

Re:Thought they used Facebook for all logins? (1)

Jeff Flanagan (2981883) | about 2 months ago | (#47101895)

I initially didn't join Spotify because of the Facebook requirement. They added their own authentication system later.

It's possible that this was different for non-American users, but tepples post was correct, and assuming that Spotify is an American company, you're the one rewriting history based on a foreign experience.

Re:Thought they used Facebook for all logins? (3, Informative)

marsu_k (701360) | about 2 months ago | (#47101951)

But your assumption is wrong, Spotify is from Sweden.

Re:Thought they used Facebook for all logins? (1)

rnswebx (473058) | about 2 months ago | (#47102895)

I created my account in August of 2011, and I did not integrate with Facebook. I still have the original email telling me that I'll need to log in with the username I created and a password. Facebook integration definitely came after the initial launch in the US. Perhaps you found out about Spotify after September 2011? From the Spotify wikipedia article:

On 26 September 2011, it was announced that all new accounts would require users to access via a Facebook login[84] but the sign-up restriction was later removed on 30 August 2012, giving users a choice to either log in with Facebook or create a Spotify username.

Re:Thought they used Facebook for all logins? (1)

cHiphead (17854) | about 2 months ago | (#47103359)

My wife in the US got in by invite with a non-FB login, this was before any FB login integration was added. I'm stuck with a FB login b/c I was in the interim where they required it.

Re:Thought they used Facebook for all logins? (0)

Anonymous Coward | about 2 months ago | (#47105371)

You assume too much.

Re:Thought they used Facebook for all logins? (2)

tepples (727027) | about 2 months ago | (#47102417)

It was mandatory when Spotify launched in Slashdot's home country. It went from "not available in USA" to "we outsource identity management to Facebook to make sure that a real person is listening" to "login with Facebook or create a new account"

Re:Thought they used Facebook for all logins? (2)

rnswebx (473058) | about 2 months ago | (#47102921)

It was not mandatory on launch, but shortly afterward. The US launch was July 2011, and the Facebook requirement came in September 2011.

Re:Thought they used Facebook for all logins? (0)

Anonymous Coward | about 2 months ago | (#47106311)

Originally, spotify had their own login system when it was in beta for the US. When it was released, however, they had mandatory Facebook login integration (already created accounts didn't require Facebook credentials.) I remember this because when they forced the Facebook account credentials I ended up unsibscribing from my payment plan.

Some unspecified time later they brought back their custom accounting system, but it was too late. Haven't used premium since. (Barely use it at all any more to be honest, I'd rather purchase music and listen to it ad-free.)

Re:Thought they used Facebook for all logins? (1)

mars-nl (2777323) | about 2 months ago | (#47101541)

It's an option. You can also use a regular Spotify-only login.

This sounds like a proof of flaw 'hack'. (4, Insightful)

Isca (550291) | about 2 months ago | (#47101443)

1 account only was hacked? This sounds like someone who was trying to prove that a flaw exists in their security. I'm guessing there is more to this story to come - this sounds like they are setting things up to go after this 'hacker'' that caused the security breach. If it was someone trying to do something malicious there would be more accounts pulled. Even if it was someone who was just curious to see if they could do it wouldn't have just stopped at one but someone who is trying to playing the role of a white hat would potentially only do this on one single account. I'll be really disappointed if that's what it turns out to be and Spotify decides to prosecute.

Re:This sounds like a proof of flaw 'hack'. (4, Insightful)

Charliemopps (1157495) | about 2 months ago | (#47101711)

1 account only was hacked? This sounds like someone who was trying to prove that a flaw exists in their security.

I'm guessing there is more to this story to come - this sounds like they are setting things up to go after this 'hacker'' that caused the security breach. If it was someone trying to do something malicious there would be more accounts pulled. Even if it was someone who was just curious to see if they could do it wouldn't have just stopped at one but someone who is trying to playing the role of a white hat would potentially only do this on one single account.

I'll be really disappointed if that's what it turns out to be and Spotify decides to prosecute.

Or the person hacked was a high level employee who had the same password for his music account as he did for his corporate account. Keys to the kingdom and all...

Re:This sounds like a proof of flaw 'hack'. (0)

Anonymous Coward | about 2 months ago | (#47102405)

Or, someone had a theory, tested that the hack worked. Then informed spotify about the weakness and asked them to patch it. Possibly also mentioning that he'll post the exploit on a forum next week.

My account was hacked. (3, Interesting)

rnswebx (473058) | about 2 months ago | (#47101453)

I had my account 'hacked' and the email address changed. I went through a few days of email exchanges with Spotify support before they would restore access. I've had an account since before FB authentication, but I still have a difficult time believing mine is the only one...

Re:My account was hacked. (2)

ericloewe (2129490) | about 2 months ago | (#47102373)

Password guessing and hacking into their systems are two very different things.

Re:My account was hacked. (1)

rnswebx (473058) | about 2 months ago | (#47102809)

Sure, I suppose it's possible to guess my password, but it's very unlikely. Definitely not in any dictionary, upper case, lower case, numbers, and symbols. If I were a betting man, I'd bet the whole retirement account that my password wasn't guessed.

Maybe someone hacked their own account? (1)

AlphaBit (1244464) | about 2 months ago | (#47101505)

Could be that the hacker was just trying to clean up their own, embarrassing listening history.

As Spotify's DBA.. (5, Funny)

MyLongNickName (822545) | about 2 months ago | (#47101549)

As Spotify's DBA, I personally reviewed the log from the hacking session. There was only 1 user that appeared in the SQL query... strange guy with "*" as his username (no quotes) and he kept showing up in the SELECT queries.

Re:As Spotify's DBA.. (1)

sexconker (1179573) | about 2 months ago | (#47101593)

As Spotify's DBA, I personally reviewed the log from the hacking session. There was only 1 user that appeared in the SQL query... strange guy with "*" as his username (no quotes) and he kept showing up in the SELECT queries.

That's not even how you make the joke.

Re:As Spotify's DBA.. (1)

mbourgon (186257) | about 2 months ago | (#47101683)

I laughed, and I'm a DBA. Yeah, the joke doesn't parse exactly, but it's still funny.

Re:As Spotify's DBA.. (0)

Anonymous Coward | about 2 months ago | (#47101785)

Sometimes, you have to sacrifice quality for a quick post... that's the key to getting to +5.

Re:As Spotify's DBA.. (1)

rogoshen1 (2922505) | about 2 months ago | (#47101947)

how does one make the joke?

Re:As Spotify's DBA.. (1)

Qzukk (229616) | about 2 months ago | (#47102101)

SQL's wildcard character is % (used in LIKE or ILIKE expressions).

Re:As Spotify's DBA.. (1)

geekoid (135745) | about 2 months ago | (#47102165)

All I took away from that is the poor sucker works in Access.

Re:As Spotify's DBA.. (0)

Anonymous Coward | about 2 months ago | (#47102971)

You use SELECT %?

Re:As Spotify's DBA.. (0)

Anonymous Coward | about 2 months ago | (#47102957)

SELECT * not SELECT %

Re:As Spotify's DBA.. (1)

Qzukk (229616) | about 2 months ago | (#47104241)

SELECT * FROM users WHERE USERNAME ILIKE '%'

"I think usernames should be case insensitive"

Re:As Spotify's DBA.. (0)

infogulch (1838658) | about 2 months ago | (#47101723)

This reminds me of little Bobby Tables. aka obligatory http://xkcd.com/327/ [xkcd.com]

Re:As Spotify's DBA.. (2)

ArcadeMan (2766669) | about 2 months ago | (#47101819)

This is Slashdot. You just have to mention "little Bobby Tables" and we all know what you're talking about. No need to link to xkcd.

Re:As Spotify's DBA.. (2)

Qzukk (229616) | about 2 months ago | (#47101879)

You just have to mention "little Bobby Tables"

Shaka, when the walls fell.

Re:As Spotify's DBA.. (2)

Anubis IV (1279820) | about 2 months ago | (#47101979)

You just have to mention "little Bobby Tables"

Shaka, when the walls fell.

For those who don't get it: http://en.memory-alpha.org/wik... [memory-alpha.org]

;)

Re:As Spotify's DBA.. (1)

ArcadeMan (2766669) | about 2 months ago | (#47102193)

What did I just say! :p

Re:As Spotify's DBA.. (1)

Anubis IV (1279820) | about 2 months ago | (#47102257)

I saw your comment and I simply couldn't resist once I saw an uncited geek reference in reply to you. :D

Re:As Spotify's DBA.. (1)

geekoid (135745) | about 2 months ago | (#47102207)

Uhg. That episode made no sense in the ST universe. ALL language uses metaphor.
ahhh.

Re:As Spotify's DBA.. (0)

Anonymous Coward | about 2 months ago | (#47102507)

But in reference to this thread, it's clear that when metaphor is understood, no citation is necessary.

Compare simply stating "Little Bobby Tables" and everyone understanding.

Re:As Spotify's DBA.. (1)

ArcadeMan (2766669) | about 2 months ago | (#47102511)

The translator still converted their language into english. It's just that their whole language was metaphors.

Let's say two persons are talking about sanitizing database inputs. If someone says "Little Bobby Tables", there's a whole explanation and concept behind that without needing to further explain anything else.

Except for diet Coke and Mentos lucky 10,000 (1)

raymorris (2726007) | about 2 months ago | (#47102775)

Yep, here on /. everyone knows all of the xkcd comics. Except of course for ArcadeMan, who has apparently forgotten "Ten Thousand", aka "Diet Coke and Mentos, the second one, not the dad one".
http://xkcd.com/1053/ [xkcd.com]

speaking as the loyal opposition... (-1)

Anonymous Coward | about 2 months ago | (#47102023)

Every superflous xkcd link deserves a rebuttal [goatkcd.com] .

Reason - you posted an XKCD link, and you should feel bad.

My god (0)

Anonymous Coward | about 2 months ago | (#47101667)

Quick! someone call the FBI, NSA, ICE, DEA, Homeland, National Guard, and Federales. "No shit"

you fa1l 1t (-1)

Anonymous Coward | about 2 months ago | (#47102091)

posts. THer:efore

The ad in my Spotify client today, I kid you not.. (4, Insightful)

GoddersUK (1262110) | about 2 months ago | (#47103381)

http://i.imgur.com/b4DHe4z.png [imgur.com] The timing couldn't have been better. (In fact, perhaps the hack was someone taking this too literally?)

Data Breach Notification Law (1)

burning_plastic (164918) | about 2 months ago | (#47105189)

I wouldn't be surprised if this is in part a way of ensuring that all data breach notification law requirements are met by broadcasting the notification in such a way that no agency or person can claim to have not been aware (even if they claim they didn't receive notification directly).

The key used for signing was probably comprimised (0)

Anonymous Coward | about 2 months ago | (#47110955)

The need for android users to download a new app, instead of just updating the existing one, indicates to me that the private key for signing the app was probably compromised.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...