Last December, many Spotify users noticed unusual activity on their accounts: unfamiliar songs mysteriously appeared in their listening history, sometimes with considerable streaming numbers. The “artists” behind these songs were likely a front for hijackers attempting to generate royalties, according to an investigation by Jonathan Griffin for the BBC. Spotify has removed the suspected artists from the service, saying in a statement, “These artists were removed because we detected abnormal streaming activity in relation to their content.”
The BBC report identified similarities between mysterious artists such as Bergenulo Five, Bratte Night, DJ Bruej, and Doublin Night, all of whom had unexpectedly appeared in users’ histories. The album art typically consisted of the title in black text over a bright color and each contained more than 40 short songs with mostly one-word titles. The artists have no social media presence. And on Reddit and Last.fm, their “listeners” were complaining that plays generated from their accounts were spam.
The streaming service denies that attackers racked up the plays by exploiting “access tokens,” which are the permissions that users grant to link Facebook and Spotify accounts without compromising privacy. Last September’s Facebook security breach resulted from the violation of access tokens, but the company insists that all affected tokens were canceled, the BBC reports. It is possible, instead, that an “account takeover” is to blame, the streaming service suggests. In that case, hijackers could have controlled aspects of users’ accounts without accessing their personal information. The mysterious artists appeared in October last year, not long after Spotify began allowing some artists to upload directly to the service. The BBC suggests this may have made it easier to exploit the system.
In a statement, Spotify says: “We take the artificial manipulation of streaming activity on our service extremely seriously. Spotify has multiple detection measures in place monitoring consumption on the service to detect, investigate and deal with such activity. We are continuing to invest heavily in refining those processes and improving methods of detection and removal, and reducing the impact of this unacceptable activity on legitimate creators, rights holders and our users.”
