Some of the world’s most popular singers have had their Spotify pages defaced by a hacker who posted messages about Donald Trump and Taylor Swift including Lana Del Rey and Dua Lipa had their biographies replaced by the attacker. Daniel, the hacker, replaced these photos with photos of himself. The attacker also asked people to add him on Snapchat, and added the words “Trump 2020”.
While the details of what weaknesses in Spotify’s security practices remain unknown, the attack highlights an important aspect of all cyber-attacks – the attackers define the rules of their attack. In this case, vandalism is an obvious component, but it could also be but one aspect of their ultimate goal. From a public perspective, without clarity around how the Spotify for Artists web site is related to the consumer Spotify site, I would recommend that all Spotify users take this opportunity to reset their passwords and review which apps they’ve linked to the Spotify service. Businesses seeking to learn from this incident should ask themselves how quickly they would be able to identify if they had fallen victim to a similar defacement effort. If the answer isn’t affirming, then a review of audit and monitoring practices is in order, along with a review of incident response planning.
While the Spotify Artist Pages hack makes headlines, more important is the recent report of up to 350,000 Spotify user accounts being hacked, exposing sensitive information, including users\’ email addresses, usernames, and passwords.
While Spotify has contacted the users believed to have had their information exposed, even users that haven\’t been contacted shouldn\’t feel safe. They should change their password to a secure password, set up the platform\’s two-factor authentication, check to make sure the password wasn\’t being used on other sites or services, and invest in and use a password manager.
This advice is also applicable to the Dua Lipas and Lana Del Rays of the world.
The big question about the attack on Spotify is whether it occurred through the artists\’ portal where they can claim and manage their own pages, or through some other internal Spotify system. Both would be concerning but the latter much more so, as it would require compromising Spotify\’s security and not just the login information of a few artists.
Defacement is a popular sort of sport among a niche community of hackers, though it usually occurs on websites rather than apps.