
Important Notice to Our Users - mts_
http://news.spotify.com/us/2014/05/27/important-notice-to-our-users/
======
Shank
Interesting note: there are now two apps in the Google Play Store under
Spotify Ltd. The first one -- Spotify, is the existing app.
[https://play.google.com/store/apps/details?id=com.spotify.mo...](https://play.google.com/store/apps/details?id=com.spotify.mobile.android.ui)

It has the package name 'com.spotify.mobile.android.ui'.

The new one is 'Spotify Music,' which appears to be brand new.
[https://play.google.com/store/apps/details?id=com.spotify.mu...](https://play.google.com/store/apps/details?id=com.spotify.music)

It has the package name 'com.spotify.music.'

To me, this indicates that the signing keys for the Android app were also
stolen during the breach.

~~~
maaarghk
No, look here:

[https://support.spotify.com/us/problems/#!/article/downloadi...](https://support.spotify.com/us/problems/#!/article/downloading-
android-update)

That article has a link to com.spotify.music

~~~
ctz
The article probably needs updating.

Because right now `com.spotify.music` is just over 1MB (down from 15MB) and
just shows this screen:

[http://i.imgur.com/lZYDyBt.png](http://i.imgur.com/lZYDyBt.png)

Hitting the "Download" button takes you to the "Spotify Music" app page on the
Play store.

~~~
maaarghk
It's the other way around. Go here:

[https://play.google.com/store/apps/details?id=com.spotify.mo...](https://play.google.com/store/apps/details?id=com.spotify.mobile.android.ui)

Use this online tool to install on your device, then open it from the
notification drawer and you'll get the screen above. Then do the same from
here:

[https://play.google.com/store/apps/details?id=com.spotify.mu...](https://play.google.com/store/apps/details?id=com.spotify.music)

and also scroll down and note that the size is 14MB - i.e. com.spotify.music
is the new one.

Anyway, whilst you had that wrong, I had misunderstood. I think Shank was
saying that the signing keys for com.spotify.mobile.android.ui were stolen
which is why they then changed it to com.spotify.music - which is a reasonable
explanation. I had thought that he meant the attacker uploaded
com.spotify.music or something.

The reviews are a disaster though. I know those people are just the minority
of morons who don't understand what's going on, but holy shit they shout loud.
As a Spotify Premium customer I hope it doesn't cause them any major issues.

------
bowlofpetunias
The complete lack of concrete information and the fact that the "incident"
applies to only one user suggests something was discovered that triggered the
company lawyers to engage cover-your-ass mode.

The alternative explanation would be that Spotify has adopted a total
transparency policy that includes even the smallest of incidents, but the
total lack of information about what the Android update actually changes
doesn't support that.

Am I missing something here?

~~~
ronaldx
You may have missed:

"Hey, this also has the nice benefit that customers will upgrade to our latest
version."

~~~
tomp
Given that they are only urging Android users to update, it looks like this
isn't a new version, but rather a hotfix for some issue that only existed in
the Android app.

------
hodgesmr
I received an unauthorized password reset attempt over the weekend. Seems like
I probably wasn't the only one.

~~~
spacefight
With the size of the spotify users, that might also have been a typo. Or a
targeted attack... but to gain what exactly?

------
0x0
What's the connection with the Android app? Did someone backdoor it, or
something?

~~~
eli
maybe it transmits the password or session token in an insecure way?

~~~
nkozyra
As best I can tell from sniffing, it isn't doing anything overtly insecure.

------
benrapscallion
It's surprising how the titles of such posts never mention the content, just
"Important Information".

------
seefoma
Interesting note at the end about offline playists having to be re-downloaded.
That, and the phrase 'internal company data' has me curious if the breach was
some kind theft of media, as opposed to user credentials and info.

~~~
elemeno
It sounded like that's a result of the upgrade on Android - presumably they've
changed something recently about how they store the offline play lists.

~~~
Shank
Offline playlists are encrypted by Spotify. Presumably this change means that
the encryption keys used by Spotify to store offline data were compromised.

~~~
pionar
Actually, it looks like the "upgrade" is actually a new app entirely, so it's
probably just that since it's a new app, the offline data has to be
regenerated.

------
benrapscallion
It's surprising how the titles of such posts always never mention the content,
just "Important Information".

------
eddywebs
sounds like aftermath of heartbleed

~~~
a1a
Possibly, but why wouldn't they say so? It seems reasonable to me that they
would blame the heartbleed bug instead of taking the blow themselves.

------
iambateman
Looks like somebody REALLY wanted to know what their girlfriend had been
listening to.

~~~
pestaa
Spotify is a paid service, and they store user-sensitive data. Don't
underestimate the impact of a breach.

~~~
jasonlfunk
I think the joke was because only one user's data was apparently accessed.

------
hendzen
Two things missing from this statement that should be part of this note and
every note like it:

1) How were the passwords stored (hashed? what algorithm? what parameters?)

2) How were the CC #'s stored (encrypted? what cipher/mode/etc?)

~~~
aggronn
> Our evidence shows that only one Spotify user’s data has been accessed and
> this did not include any password, financial or payment information.

~~~
johnnyfaehell
I think the point here is if your data has been breached you should be
reassuring people that password and payment details even if accessed aren't
easily readable.

------
waylandsmithers
|We take these matters very seriously

This phrase seems to appear often in press releases and I feel that it usually
indicates the opposite. If you feel the need to SAY that, it's probably
because you've done something that implies you don't.

~~~
jasonlfunk
That seems like an unreasonable standard. If you take things seriously - you
can't SAY that you do otherwise people will think that you don't.

------
general_failure
I don't understand why they bother announcing such vague information. Just say
'security breach' in two words and stop instead of this word diarrhea.

~~~
worklogin
Attention: Not everyone is tech-savvy, tech-anything, or security-anything.
Saying "Security breach, no biggie" is not a proper way to communicate with
the general public about a service for which they pay.

-Scope of breach? Check

-Actions taken? Kind of (investigating, patching apps)

-Actions required by users? Check

-Reassurance that everything will be alright, stop cancelling your credit cards? Check

------
reledi
The most interesting part to me is that the comments rant about the new app
instead of discussing the security issue. Their users really want to be heard.
Those are dedicated users whose hatred for the app is fueled by love for the
product or company. Spotify should at least let them know that they're
listening.

------
halflings
Received a similar message from eBay (french):

"Cher membre eBay,

Afin que les utilisateurs d'eBay continuent de bénéficier d'une expérience
fiable et sécurisée sur notre site, nous demandons à tous nos membres de
modifier leur mot de passe.

En voici les raisons : nous avons récemment découvert que notre réseau
informatique avait été la cible d’une cyberattaque. Cette attaque a eu pour
effet de compromettre une base de données contenant les mots de passe des
utilisateurs eBay.

Il est important de souligner que rien n'indique qu'il y ait eu accès à vos
données financières ou que celles-ci aient été compromises. Par ailleurs,
votre mot de passe était crypté. "

