Are Your Employees Using Spotify During Work? Be Aware of Data Breaches
It’s not uncommon for employers to allow members of their staff to use non-work related applications during work hours. Allowing use of applications such as games, streaming music, or personal social media accounts seems like a relatively minor and benign compromise between an employee’s work and personal life. While the practice may seem harmless on the surface, hackers and data thieves are always looking for opportunities to exploit users and gain personal information, or worse.
In this article we will discuss the most recent data breaches experienced by Spotify, a popular streaming music service. We’ll go into what type of information was stolen, as well as another reason why the use of the Spotify streaming music service should be discouraged by employers.
What Happened to Spotify?
In early December 2020, Spotify alerted the state of California’s attorney general’s office to a recent data breach their company experienced. They also sent a letter to affected users revealing that personal information may have inadvertently been exposed to some of Spotify’s “business partners,” including:
- Email addresses and passwords
- Spotify account registration information
- Personal information such as date of birth and gender
Spotify failed to disclose the actual names of the business partners however, and in fact never disclosed the breach at all to the public. The public only learned about the data hack after Spotify filed their data breach notification with the state of California. Also noteworthy, is the fact that the data breach discussed in the letter was actually the third data breach experienced by Spotify in less than a month. In addition, the software vulnerability responsible for the breach, actually existed as far back as April 9, 2020.
One of the primary vulnerabilities of Spotify is that they still haven’t instituted two-factor authentication in order for users to log into their services. This, along with the fact that millions of hacked Spotify accounts are available on the dark web for as little as a $1, makes users an easy target. Unfortunately, many users still have one main password they use for many of their accounts, including work-related logins. It’s very easy for hackers to discover the username and password belonging to a Spotify account, then plug the same information into a user’s other accounts. Although Spotify’s letter did mention they were forcing users to change their Spotify password, they did not take the additional step of advising users to change the username and password on other accounts, if they were the same as the user’s Spotify login credentials. This oversight has the potential to leave both the user’s other personal accounts, as well as their work-related accounts, vulnerable to exploitation.
Both users and employers alike may be surprised to learn that Spotify actually does not allow their streaming service to be used in a place of business. Per their own website, Spotify services are for personal use only and are not to be used for commercial purposes. Not only does this mean that a user is in violation of the terms and conditions as set forth by Spotify, it also means the establishment they work for could run into legal trouble with Spotify.
The data breaches experienced by Spotify users are just one of the many examples that show why employers should discourage their employees from using company-owned computer equipment for personal use. It’s important for companies to understand the downside associated with allowing staff to use non-work related applications in a corporate setting.
If you are ready to develop a business computer use policy for your organization, we can help. Our expert IT team can guide you through the process of discovering potential vulnerabilities to your organizational data, then create a comprehensive plan that will protect one of your most valuable assets, your digital information. Please contact us today to schedule an appointment for a private consultation.
Eric is a Business IT cybersecurity advisor, consultant, manager, integrator, and protector who founded EVERNET in 2007. Eric co-hosts a podcast called “Finance and Technology Insights by Brian & Eric” on YouTube. Eric is a regular contributor to the EVERNET blog, writing about the latest technology news and providing his expertise in cyber security prevention and management.