Spotify, one of the most popular streaming music services in the world, revealed on May 27 that its Google (GOOG +1.87%)(GOOGL +1.78%) Android app had been hacked. However, unlike eBay's (EBAY +2.40%) disastrous data breach, which could potentially affect up to 233 million registered accounts, Spotify's data breach strangely only affected one unlucky user.
Source: Wikimedia Commons.
In a blog post, Spotify CTO Oskar Stål stated that there was evidence that a single user's data had been accessed, but it "did not include any password, financial, or payment information." The company has asked that its customers reenter their usernames and passwords as a "general precaution," and that it will release a mandatory update for the Android app soon. Offline playlists will need to be redownloaded in the new version.
Although Spotify's data breach sounds relatively mild compared to recent attacks against Adobe, Target, and eBay, the attack on Spotify highlights the fact that no online service should consider itself safe from hackers.
A timely response
Spotify moved quickly to contain the threat and clearly inform its 40 million active users about the issue. There was no mass panic or confusion about the nature of the breach.
By comparison, eBay failed to identify its data breach for three months, then waited two weeks after noticing it to inform the public. It then posted inadequate information and broken links on its main website, and failed to inform customers in a timely manner via email.
However, that's not to say that Spotify is off the hook just yet. Dwayne Melancon, CTO of security firm Tripwire, told BBC that the attack could have merely been a "proof of concept" attack to demonstrate that the service could be hacked. Melancon also noted that it was likely a "re-usable, broadly applicable attack method," which could possibly affect older versions of the Spotify app.
In other words, this could have been a dry run for attacks on much bigger streaming services, such as market leader Pandora (P +0.00%) Pandora, which had 75.3 million active listeners at the end of March.
What does this tell us about Android?
It's not surprising that the hack on Spotify struck its Android app, and not its iOS one. Due to Android's rising popularity -- it has a 78% global market share in smartphones and a 62% market share in tablets -- it has become an increasingly popular target for hackers.
Spotify's Android app. Source: Google Play.
Android is suffering from the same problem that plagued Microsoft (MSFT +0.04%) Windows in the past -- it is being targeted by hackers who want to inflict maximum damage. Windows Phone, for example, is generally considered less vulnerable than Android because it makes little sense to target an operating system that only accounts for 3% of the market.
Last November, F-Secure released a startling report that revealed that 97% of all mobile malware targets Android devices. Juniper Networks and CNET also reported that mobile malware surged 614% between March 2012 and March 2013, compared to 155% growth in the prior year.
As a result, many Android users are now advised to install anti-virus software on their devices, despite former Google CEO Eric Schmidt's bold claim last October that Android devices were "more secure" than iPhones.
What does this tell us about Spotify and Pandora?
In a previous article, I compared Spotify's business model to Pandora's. Although the two companies seem superficially similar, they make money in very different ways. The majority of Spotify's revenue comes from paid subscribers, while the majority of Pandora's comes from advertising.
The two companies are essentially inverted images of each other -- 85% of Spotify's revenue comes from subscriptions and 15% comes from advertising, while 28% of Pandora's revenue comes from subscriptions and 72% is generated by ads.
However, both companies face the same challenge -- big royalty rates paid to the recording industry. Spotify pays nearly 70% of its revenue to rights holders. Last quarter, Pandora paid 56% of its revenue to rights holders. After those royalties are deducted along with other operating expenses, there's not much room for a profit. Pandora finished last quarter with a net loss of $29 milion, or $0.14 per share. Spotify, which is privately held, reported a net loss of $78 million in 2012.
This means that to realize a profit, Spotify and Pandora have to cut costs. When we consider the fact that eBay -- one of the largest e-commerce sites in the world with $16 billion in annual revenue -- failed to invest in adequate security technology, the problem becomes clear -- how can Spotify and Pandora, which already have enough trouble preserving their bottom lines, invest in the technology to protect millions of listeners worldwide?
The bottom line
In conclusion, Spotify clearly dodged a bullet by responding to the data breach in a calm and quick manner. However, this might only be the tip of the iceberg for data breaches against other streaming services.
Companies need to invest more heavily in securing their user data, and be ready to execute clear plans of action if data breaches occur. One big blunder, as eBay has learned the hard way, can undo years of trust and goodwill within a few days.
