Cyber Incident Victim: Spotify
Date:
Oct 2016
Location:
Sweden
Summary
Spotify's free tier inadvertently delivered malicious advertisements that automatically launched users' default browsers to malware-distributing websites without requiring interaction, impacting systems running Windows, macOS, and Ubuntu. The compromised ads executed scripts and executables capable of immediately compromising devices, prompting user reports across forums and social media. The service confirmed the issue originated from a single problematic ad, which it disabled while monitoring for further anomalies, noting only a limited subset of users were affected. This incident echoed prior security challenges involving harmful ads on the platform.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 4, 2016, Spotify Free users began reporting that the service was automatically launching their default web browsers to malicious websites without user interaction. Initial complaints surfaced on Spotify’s community forum, with user Tonyonly detailing how the platform repeatedly redirected browsers to malware and virus-laden sites while the application remained open. Additional forum users and social media posts corroborated these issues, noting the behavior appeared linked to advertisements injected into Spotify’s Free tier. Affected systems spanned multiple operating systems, including Windows 10, macOS, and Ubuntu, indicating a platform-agnostic attack vector. The malicious pop-ups reportedly initiated system compromises immediately upon loading, bypassing the need for user clicks or downloads. Some ads distributed harmful JavaScript and Flash executables capable of triggering infections upon site visitation.
Spotify confirmed the incident within hours, attributing it to a compromised advertisement on their Free service tier. The company stated they had identified and disabled the malicious ad’s source, characterizing the event as an isolated issue impacting a small subset of users. Historical context revealed this was not Spotify’s first malware-related ad incident; in 2011, a malicious advertisement within its Windows desktop client had installed fraudulent antivirus software. The 2016 incident prompted Spotify to commit to ongoing monitoring but did not result in disclosed user data breaches or service interruptions beyond the unwanted browser behavior. No further technical details about the malware’s functionality, infection rates, or specific attacker origins were publicly confirmed by Spotify or cited in contemporaneous reports.