Spotify Data Breach Led to Altered User Playlists With Thousands of “Streams” of Fake Artists

Some Spotify users have reported bizarre records of unknown artists appearing in their listening playlists, with some even showing thousands of streams, according to BBC Report from last week. These are all songs that the users claim they neither searched for nor have ever actually listened to. The root of this issue could possible be related to something known as access tokens, a concept you likely interact with on a daily basis when signing in and out of apps and programs.

What makes it so strange is that upon searching for the artists online, the vast majority have little to no presence outside of Spotify. No social media pages, fan pages, or even listings of concerts. Spotify denies that this is the result of a hack, though they’ve also failed to produce a reason for these phantom artists and their modest (but still inexplicable) streaming numbers.

Spotify users started posting on social media to express their annoyance late last year, with one person mentioning their top streaming artist for the year was a group called Bergenulo Five. They, along with other groups like Bratte Night, DJ Bruej and Doublin Night, had been noticed for this strange occurrence. The users seemed to think it was due to a hack.

These artists all share a few peculiarities. They have really short songs. The albums have long track lists. They have really banal names. All of this has led to what the BBC writer proposed was a new genre — “mysterycore.” When BBC reached out to Spotify as well as many artists in question, many suddenly disappeared from the streaming service. These groups include the aforementioned Bergenulo Five, Onxyia, Cappisko, Hundra Ao, Dj Bruej, Doublin Night, Bratte Night and Funkena.

The BBC author suggests one potential cause of the “hack” that Spotify denies could be through access tokens. You’re likely familiar with these, as they’re the permissions that are granted when you attempt to log into one website or social media network to another — such as Facebook to Spotify. In September of 2018, Facebook announced they’d had a security problem which affected as many as 50 million accounts. The issue prompted Facebook users to re-enter their Spotify login details (which presumably were stolen.)

Facebook says that after recognizing the issue, they cancelled all of the tokens that were possibly compromised. However, some experts like Tim Mackey of security software company Black Duck say that certainty may not be possible. “You may end up with a certain small percentage that were missed” because it’s so complicated to identify what exactly was taken. However, Facebook insists there’s no evidence access tokens were used to access Spotify.

Matt Matasci: Music Editor at mxdwn.com - matt@mxdwn.com | I have written and edited for mxdwn since 2015, the same year I began my music journalism career. Previously (and currently) a freelance copywriter, I graduated with a degree in Communications from California Lutheran University in 2008. Born on the Central Coast of California, I am currently a few hundred miles south along the 101 in the Los Angeles area. matt@mxdwn.com
Related Post
Leave a Comment