Spotify has stated publicly that they had an internal data breach that resulted in some unauthorized access of their systems and internal company data and that only one user was affected. According to Spotify, this issue only affects Android users and as a result, they are asking Android users to update their Spotify Android clients whenever prompted by the Google Play Store. Spotify has made it clear that no users’ data was compromised outside of the single individual and that no login or bank account data was compromised during the breach of Spotify’s systems. However, they did make it clear that they highly recommend that all Android users upgrade their client over the course of the next few days.
While Spotify’s investigation has only turned up a single affected user as a result of this recent breach, I suspect that there are others that they simply didn’t find. The likelihood that only one users’ account was compromised over the course of this breach seems highly unlikely and that they discovered the hole in their security and have patched it with an update. iPhone/iOS users appear to be completely unaffected, but Android users should heed Spotify’s warnings about updating the app as well as downloading updates from unknown sources. The only source of an update for Spotify’s Android app should be the Google Play store and nowhere else.
As Spotify grows in popularity, there are going to be more attempts to break into the service’s databases and access their users’ data. The company’s CTO has already notified the public of this issue and that a fix has already been applied. Hopefully something like this doesn’t happen again, but I have a feeling that whomever gained unauthorized access to Spotify’s systems was not going after user data, yet. If Spotify’s claims are correct, then whomever attacked them likely was looking for some of their own proprietary information and may be back again to try to steal user data. Nowadays, user data is so poorly protected by companies that Spotify wanted to make it clear that users’ data with the exception of one person had no been compromised (to their knowledge).