Spotify subscribers may have been hacked to stream fake ‘mysterycore’ artists

A number of seemingly fake musicians garnered tens of thousands of plays on popular on-demand streaming service Spotify in late 2018, according to a new report by the BBC. Users claim no memory of playing a number of artists that ended up on their annual year-end lists from the company, leaving them wondering how musicians they had never heard of were reportedly their favorites to listen to.

Band names like the Bergenulo Five, Bratte Night, DJ Bruej, and Doublin Night were apparently common among those affected by the issue, leading some to claim that this was evidence of a widespread hack on the service. Spotify claims that accounts have not been hacked, but has yet to explain the phenomenon in detail to those affected.

The BBC reportedly attempted to reach out to all the artists that appeared to have been part of this “mysterycore” movement and has yet to hear from any of them. That said, many of the artists had a lot in common: Each reportedly featured an album title that was in black text over a colorful background, and each artist had albums that were packed with more than 40 songs with mostly one-word titles, allowing them to be streaming a high volume of times in short order. According to the report, Bergenulu Five had nearly 60,000 streams on the service, adding up to between $500 and $600 in royalty revenue.

Some users believe that their accounts were hacked — again, a claim Spotify denies — using something called access tokens. Access tokens allow you to use one website to log into other sites, like the way that users can use Facebook to log into their Spotify accounts. Facebook reported a breach of its access token system in September 2018, in which the company said up to 50 million accounts on the service were affected. Those the company could identify as being breached were prompted to change their log-in information. Facebook claims that all affected accounts were dealt with.

For its part, Spotify appears to have attempted to remove the artists as soon as it noticed it may be an issue.

“We take the artificial manipulation of streaming activity on our service extremely seriously,” the company said in a statement to the BBC. “Spotify has multiple detection measures in place monitoring consumption on the service to detect, investigate and deal with such activity. These artists were removed because we detected abnormal streaming activity in relation to their content.”

As always, if you’re worried that your account may be compromised on any service or website, it’s important to change your password to something more secure. It’s also advisable to not use token systems and instead provide a unique password, to each site or service you use.

Editors' Recommendations