Spotify has admitted that it has been the victim of a security exploit and apologised to users infected via a malware-riddled advert that appeared on the Windows desktop version of the popular music streaming platform.
The malvertising incident first struck on 24 March at 11.30am UK time, and the worrying aspect is that users didn't even need to click the infected ad to allow it to access their machines - it worked via the Blackhole Exploit Kit, and was able to do its dirty work without Spotify fans even noticing.
"The application will render the ad code and run it as if it were run inside a browser," said Websense's Patrik Runald.
"This means that the Blackhole Exploit Kit works perfectly fine and it's enough that the ad is just displayed to you in Spotify to get infected, you don't even have to click on the ad itself.
"So if you had Spotify open but running in the background, listening to your favourite tunes, you could still get infected."
The rogue advert connected machines to a site where the exploit kit tried several vulnerabilities to infect the user. If successful, it would then install the fake anti-virus program Windows Recovery.
Users with real AV protection should have had no problems, and Spotify removed all third party adverts as a precautionary measure as soon as it was aware of the incident. The hack only affected Spotify free users.
"We sincerely apologise to any users affected. We'll continue working hard to ensure this does not happen again and that our users enjoy Spotify securely and in confidence," read a statement from the Swedish digital music giant.
Avast has stated that 59 per cent of attacks occurred in Sweden, with 40 per cent of infection reports coming from the UK.