July 26, 2024
Dear valued customer/partner,
It was discovered in late June 2024 that a website powering vast portions of the Web had been taken over by a hostile actor and repurposed to inject malicious code into websites. It is estimated about 3.5% of websites globally were compromised over the preceding year. This global-scale cybersecurity event is called the Polyfill.io Supply Chain Attack.
—————
Detailed Account
Our Engineering team discovered the vulnerability impacted a Spectre website on July 24 and immediately raised a Security Incident. The following corrective measures were immediately put in place:
→ Inventory of compromised domains and applications
→ Removal of malicious code from all domains and applications
→ Purge/invalidation of all caches (proxies, CDNs, browsers)
→ Inventory of compromised data
→ Reset of all user passwords and sessions
A single application was found to have been compromised:
→ https://dashboard.spectre-music.com/
The following data points were put at risk and may have been accessed by non-authorized actors:
– email addresses and passwords used to gain access to the website
– first name, last name
– names of outlets where players are installed
– music/playlist-related data (e.g. name of playlist, playback schedule)
– private and public IP of music player
—————
Impact
Given passwords were promptly reset and considering the scope of compromised data, it is our assessment that there should be no operational, IT, or business impact for your organization.
—————
Please accept our apologies for any discomfort this event may cause. We set ourselves to a high standard, and this event will serve to improve our security practices.
Our Engineering and Customer Support teams are available if you have any questions related to this incident.