Full Report
Spotify has suffered its third data breach in the space of a few weeks.
Analysis Summary
# Incident Report: Spotify Third-Party Data Exposure (Late 2020)
## Executive Summary
Spotify experienced a series of security incidents culminating in its third documented breach in a few weeks during late 2020. The most significant event detailed involved the inadvertent exposure of user registration information to certain business partners. A separate, related incident involved the compromise and defacement of celebrity artist pages by a malicious actor exploiting account control.
## Incident Details
- Discovery Date: Not explicitly stated, but incidents occurred in late November/December 2020.
- Incident Date: Multiple incidents across late November and December 2020.
- Affected Organization: Spotify Technology S.A.
- Sector: Media & Entertainment (Music Streaming)
- Geography: International (Domiciled in Luxembourg, Headquartered in Stockholm, Sweden)
## Timeline of Events
### Initial Access
- **Date/Time:** Late November 2020 (First Incident)
- **Vector:** Credential Stuffing Attack (First Incident) / Account Compromise (Second Incident)
- **Details:**
- **Incident 1 (Credential Stuffing):** Attackers used credentials recycled from previous data breaches to gain access to up to 350,000 user accounts.
- **Incident 2 (Artist Page Defacement):** A cyber attacker, calling himself "Daniel," gained unauthorized access to several celebrity Spotify pages.
### Lateral Movement
- **Details:** The article does not explicitly detail lateral movement beyond the initial access points, but the compromise of artist pages implies the attacker moved to account administrative functions or artist management portals.
### Data Exfiltration/Impact
- **Details:**
- **Incident 1:** Account registration information for up to 350,000 users was exposed.
- **Incident 2:** Artist profile information (messages, profile images) was replaced with external content (Snapchat promotions, political messages).
### Detection & Response
- **Detection:** Public evidence (Twitter posts) for the artist page defacements; internal investigation for the partner data exposure.
- **Response Actions:** Spotify conducted an internal investigation and contacted all business partners potentially exposed to the user data, requesting the deletion of all inadvertently disclosed personal information.
## Attack Methodology
- **Initial Access:**
- Credential Stuffing (Using leaked credentials from other services).
- Account compromise/session hijacking (Implied for celebrity page defacement).
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Re-use of credentials from prior breaches.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Account registration data (Incident 1).
- **Exfiltration:** Data shared inadvertently with third-party business partners (Incident 1).
- **Impact:** Information exposure to business partners; Account takeover/vandalism (Incident 2).
## Impact Assessment
- **Financial:** Not estimated.
- **Data Breach:** User account registration information (Incident 1). The data was exposed to business partners, not necessarily malicious actors.
- **Operational:** Potential temporary disruption to artist page management (Incident 2). Limited operational impact noted for the data exposure incident itself.
- **Reputational:** Negative publicity surrounding the *third* breach within a few weeks.
## Indicators of Compromise
This report does not contain specific technical IOCs (IPs, domains, hashes).
## Response Actions
- **Containment:** Internal investigation initiated immediately following discovery.
- **Eradication:** The primary stated action was contacting affected business partners to ensure the immediate deletion of any inadvertently disclosed personal information.
- **Recovery:** None specifically detailed, aside from the assurance to partners regarding data deletion.
## Lessons Learned
- **Password Reuse Vulnerability:** Reliance on users reusing passwords made credential stuffing highly effective across the user base.
- **Third-Party Data Governance:** Sensitive user data appears to have been accessible by a wider array of business partners than anticipated, leading to inadvertent disclosure.
- **Account Security Management:** Poor controls allowed unauthorized users to access and modify high-profile artist pages.
## Recommendations
- Mandate and enforce multi-factor authentication (MFA) for all user accounts, especially high-privilege or public-facing accounts (like artist pages).
- Review and strictly limit the scope of access granted to third-party business partners, applying the principle of least privilege to data access.
- Proactively notify users about credential security and potential exposure following large external breaches that impact credential reuse.