Research on Security Breaches at Spotify and other Media Streaming Sites

Select network

                   

The music streaming service, Spotify, recently experienced a significant hack that put the personal information of users in danger. The purpose of the present essay is to discuss this event, along with similar events pertaining to related websites. The essay will have four main parts.

1. The first part of the essay will provide an overview of what actually happened regarding Spotify.
2. The second part will generalize the issue and develop a broader perspective on the problem of hacking in general.
3. Then, the third part will shift into a reflection on the psychology of hackers, or why hackers attempt to undertake an endeavor such as the hacking of Spotify.
4. Finally, the fourth part will consist of an analysis of the kind of concerns that users of services such as Spotify should (or should not) have as they move into the future.

Ultius takes online security threats very seriously and periodically provides security bulletins

The Spotify security breach

To start with, then, the hack of the music streaming service Spotify entailed the personal information of many users becoming available to the public. As Perez reported on the 25th of April 2016:

A list containing hundreds of Spotify account credentials—including e-mails, usernames, passwords, account type and other details—has popped up on the website Pastebin, in what appears to be a possible security breach. After reaching out in a random sampling of the victims via email, we've confirmed that these users' Spotify accounts were compromised only days ago. (paragraph 1)

Spotify itself, of course, takes serious efforts to protect the personal information of its customers. So, the fact that such information became public implies that Spotify's protections on the personal information were not strong enough and that hackers managed to overcome those protections in some way and make the personal information available to the public.

It would seem that at least in part, Spotify responded to this hack by denying that it happened. It is possible that this is actually the truth. Jennings has quoted the following rather cynical statement made by a commenter called james_72:

"You can buy Spotify credentials online for $1 . . . along with Netflix, Hulu, and everything else. There's no hacking involved. It's idiot users clicking on phishing links" (paragraph 8).

Threats against streaming services

This kind of issue has also reportedly plagued the movie streaming services including Netflix, Hulu, and others. (see Pullen). That is, there exist several dangerous links on the Internet that, when clicked, could potentially capture the personal information of the web user. This is especially the case if the user naively enters in such information after clicking on such a link. It would seem that there are in fact many such users on the Internet, which would mean that the problem consists not of a service such as Spotify actually being hacked but rather of web users themselves simply not being cautious enough.

To an extent, however, this explanation seems too self-serving; and in any event, it surely cannot explain all instances when Spotify and other related websites have apparently leaked personal information regarding their users to the public. The simple fact is that hacking is a very serious issue within the context of the contemporary technological world, irrespective of whether hacking was specifically responsible or otherwise for the recent event regarding Spotify.

Even if Spotify was not in fact hacked in this specific situation, it is clear enough that websites such as Spotify either are hacked or at a serious enough risk of eventually getting hacked, that this problem should register within the minds of the users of such services in a more or less serious way. As such, it will now be worth turning attention to the general problem of hacking with the intention of obtaining the personal information of private citizens. This will also help shed more light on the specific problem recently faced by Spotify in particular.

The hacking problem

Virtual and online security threats are a serious problem within the contemporary world for the simple reason that some people have a great deal to gain by obtaining the personal information of random Internet users. Grimes has delineated four main reasons why a hacker might choose to hack someone.

These include "picking your pocket," "pummeling you with adware and spam,” "stealing intellectual property," and "turning you into a bot client."

The main idea is that the hacker generally wants some kind of material gain from the people that he hacks. This is easy enough to understand. In the case of hacking a Spotify account, for example, the hacker would at the very least gain free access to the musical content provided by Spotify to paying customers. The more insidious possibility, however, is that hackers may use the access to this kind of personal information as a stepping stone to a larger project involving compromising the personal information and material resources of a large number of other people as well.

The last point made above regarding "turning you into a bot client" perhaps requires further elaboration, insofar as it is the least self-explanatory of the reasons why one might hack the personal information of users of services such as Spotify. To quote Grimes again regarding this matter:

In this scenario, your computer's CPU cycles and network capacity are hijacked in an effort to send service-denying content or malware to specific targets. Small DDoS botnets involve a few thousand compromised clients; larger ones range in the hundreds of thousands. (2)

In other words, people who commit cybercrimes in the United States may seek to access not just the personal information of web users but the processing power of those users' computers in general. That processing power could then be parlayed into bigger (and probably more criminal) hacking projects, insofar as a great deal of such power is generally necessary in order to overcome the protections surrounding the most serious kinds of data and information that is available on the Internet.

Psychology of hackers

At this point, it is perhaps worth considering the psychology of the hacker himself, or why the hacker would choose to act outside of the law as he does. A comprehension of this point would likely help prevent security breaches like the one possibly affecting Spotify from occurring in the future. Part of the motivation has already been discussed above: it has to do with simple material gain. In a certain sense, there is a great deal of reason in people engaging in illegal activities, if they feel that this would be an effective way to maximize their own gain and if they feel that they would be able to get away with the activity without suffering any negative consequences.

The political philosopher Hobbes, who believed in selfish morality, suggested that every person is inherently interested in pursuing his own selfish benefit, and society and its laws are primarily necessary in order to prevent this each-for-himself mentality from degenerating into total barbarity and chaos. So, if a hacker feels that he has sufficient anonymity to pursue his own gain through illegal actions, then it is not really surprising that he would decide to follow through with those actions.

Nobility of hackers

There is, however, what could perhaps be called a more noble reason for pursuing the activity of hacking. This has to do with the simple fact that hackers are often highly motivated persons who enjoy a good challenge. As Kaplan has written:

It's long been known that hacking is a major problem—not just to personal banking accounts, but to the nation's critical infrastructure and the military's command networks. Often the best way to beat hacking is with another hacker—someone who can find and patch the holes before a bad guy can exploit them. (paragraph 5)

In a certain sense, then, hacking is a kind of applied art; and many hackers seem to derive an almost aesthetic pleasure from a job well done. Hackers who go after websites such as Spotify may simply have something like this in mind.

In this context, it is worth discussing the recent conflict that emerged between Apple and the FBI, regarding whether Apple should be forced into hacking its own security software in order to cooperate with the San Bernardino terrorism case. As Lichtblau and Goldstein have made clear, computer programmers tend to adhere to a rigorous code of honor, according to which it would be tantamount to a cardinal sin to disrupt the aesthetic beauty of a well-designed computer program.

In this context, the hacker could be conceptualized as a kind of rogue computer programmer who derives pleasure specifically from disrupting well-designed computer programs. There are, to be sure, many hackers who are simply looking for material gain, and services such as Spotify may be the victims of such hackers. However, it is worth bearing in mind that at the strictly technical level, hacking is quite hard work; and people who are motivated to become hackers would seem to often be primarily motivated by something other than (though of course in addition to) simple material gain.

Analysis of the future

Looking to the future, the important point to understand regarding the case of Spotify is that: either Spotify did in fact actually get hacked, or many users of Spotify are careless enough in their web activities to produce a situation that simulates Spotify getting hacked. As Chuang has written:

"Beginning early this week, user info emerged in three separate data dumps on Pastebin, and for some particularly unlucky users, home countries, account types, and account renewal dates were also revealed" (paragraph 2).

This is the objective fact of the matter. What is unclear, however, is whether the primary responsibility for this scenario resides with Spotify itself, with laws intended to stop cybercrimes, or with the users who engage in careless web activities over which Spotify per se would have no control whatsoever.

Indeed, Spotify's line on this matter is that the company consistently monitors websites where personal information is generally posted and that it takes efforts to notify its customers if it is detected that authentic credentials have in fact actually been made public. This suggests that carelessness among web users in sharing personal information may be one of the leading factors behind what may at first seem to be incidents of "hacking." Aside from this, though, it is worth bearing in mind that we all now live in a digital age.

We tend to give various websites personal information without really stopping to ask critical questions about how well that information will be protected against unauthorized threats. So, while it is incumbent on companies to provide the highest level of digital security possible for their customers, it is clearly also the responsibility of the customers themselves to evaluate the security of the platforms they are using before agreeing to share personal information. Without such consideration, customers may well end up inadvertently sharing personal credentials with unauthorized persons, and there would be little that any given company, including Spotify, could do to protect them.

Conclusion

In summary, the present essay has consisted of a discussion of the recent event involving the apparent hacking of Spotify. A key point that has been made within the present essay is that while it is not clear whether Spotify was in fact actually hacked or not, what is clear is that the personal information of the customers was not kept as secure as it should have been. However, this could just as easily be the fault of the customers themselves as the sport of Spotify (or related websites, in related cases). More specifically, web users need to take care to remember that they need to protect their own personal information from malicious agents.

Works Cited

Chuang, Lulu. "Spotify User? Your Account Information May Have Been Compromised." Digital Trends. 19 Feb. 2016. Web. 5 May 2016. http://www.digitaltrends.com/music/spotify-hack/.

Grimes, Roger A. "The 4 Most Likely Reasons You Were Hacked." InfoWorld. 5 Feb. 2013. Web. 5 May 2016. http://www.infoworld.com/article/2613429/security/the-4-most-likely-reasons-you-were-hacked.html.

Hobbes, Thomas. Leviathan. Cambridge: Cambridge U P, 1996. Print.

Kaplan, Fred. "Nothing Like a Challenge to Bring Out Hackers." New York Times. 30 Mar. 2016. Web. 5 May 2016. http://www.nytimes.com/roomfordebate/2016/03/30/should-hackers-help-the-fbi/nothing-like-a-challenge-to-bring-out-the-hackers.

Jennings, Richie. "Spotify Hacked? Angry Users Fight to Regain Accounts." Computer World. 26 Apr. 2016. Web. 5 May 2016. http://www.computerworld.com/article/3061304/security/spotify-hack-accounts-leaked-users-exposed-itbwcw.html.

Lichtblau, Eric, and Joseph Goldstein. "Apple Faces U.S. Demand to Unlock 9 More iPhones." New York Times. 23 Feb. 2016. http://www.nytimes.com/2016/02/.

Perez, Sarah. "Hundreds of Spotify Credentials Appear Online—Users Report Accounts Hacked, Emails Changed." Tech Crunch. 25 Apr. 2016. Web. 5 May 2016. http://techcrunch.com/2016/04/25/hundreds-of-spotify-credentials-appear-online-users-report-accounts-hacked-emails-changed/.

Pullen, John Patrick. "How to Tell if Your Netflix Account Has Been Hacked." Time. 19 Feb. 2016. Web. 5 May 2016. http://time.com/4230367/netflix-account-hacked/.