On the 4th March Spotify, the online music streaming website posted a notice in their blog that “a group” had managed to “compromise their protocols” and gain access to information including password hashes, addresses, birth dates, gender, postal codes and billing receipt details.
Sportify don’t detail in the bulletin how the attack took place, but do note that it was made possible due to a bug that they had repaired back on the 19th December 2008.
Given the relatively remote possibility that account passwords were actually compromised, you have to admire the folks over at Spotify for coming so publicly clean about this and for making sure they individually contacted every account owner that may have been at risk.
Spotify haven’t gone public over exactly how the information was accessed, but it’s never a bad idea to restate a few best practices for securing web applications:
- Keep them patched.
- NEVER store sensitive data in clear text.
- Get them regularly vulnerability scanned from the inside as well as the outside.
- Use strong authentication (2 factor) if you are only serving a limited user population or if the data you are holding is particularly sensitive. Cookies can lead to session hijacking…
- Bounds checking of input data helps to avoid buffer overflows and SQL injection type attacks.
- Provide access to information on a Need to Know basis and always provide it with Least Privilege.
- Don’t provide detailed error information to browsers, you don’t expect your customers to debug your application, so don’t give up that error message.