- Baltimore still refuses to pay hackers who hit city with ransomware Today 5:34 PM
- Net neutrality advocates slam ‘extremely troubling’ letter circulating among some House Dems Today 4:52 PM
- Moms and grandmas are infiltrating TikTok Today 4:35 PM
- Did Britain’s head Brexiter hide in a bus to avoid getting hit by a milkshake? Today 4:26 PM
- This woman who thought she saw a handmaid about to jump from a building is very relieved Today 4:18 PM
- Michael Avenatti allegedly defrauded Stormy Daniels to pay for a Ferrari Today 3:53 PM
- HBO has no plans for an Arya Stark spinoff series Today 3:28 PM
- Republicans and Democrats agree on dangers of facial recognition tech Today 3:18 PM
- Amazon is using video games and ‘swag bucks’ to incentivize workers Today 3:04 PM
- Here’s what’s coming and going on Netflix in June Today 2:46 PM
- This Michael Jackson makeup meme is sweeping TikTok Today 2:45 PM
- Homophobic preacher wants Pete Buttigieg to renounce fisting and rimming Today 2:33 PM
- ‘The Liar, the Snitch, and the War Crimes’: Twitter roasts news of Trump Jr. book deal Today 12:36 PM
- Polar Peak in Fortnite is cracking, and players think a dragon may be beneath the ice Today 12:07 PM
- ‘Rise of Skywalker’ first look reveals mysterious new characters Today 12:00 PM
Experts suspect hack after Spotify accounts forced to stream fake bands
Is someone earning thousands of dollars by generating listens for fabricated artists?
Spotify users believe their accounts may have been compromised after noticing fake bands appear unexpectedly in their playlists, the BBC reports.
The incident began last December when users of the music streaming service began reporting that their accounts indicated that they had frequently listened to artists they’d actually never heard of.
The unknown bands have garnered thousands of streams from unsuspecting users and have potentially earned thousands of dollars in the process.
Some of the music groups’ names include “Bergenulo Five, Bratte Night, DJ Bruej and Doublin Night.” Their songs are as short as one minute long, often contain little to no lyrics, and feature “generic cover art, and short, non-descriptive song titles.”
A search by the BBC for any content from the artists’ outside of Spotify also returned “no fan pages, no concert listings, social media accounts or even photos of the actual musicians.”
Many Spotify users shared their confusion on Twitter after noticing the bands mysteriously appear among their top artists for the year 2018.
Highly recommended to all high jackers and account thieves everywhere. pic.twitter.com/mo9moUbSRl
— Graeme – FossilArcade (@FossilArcade) December 10, 2018
Although the BBC says that Spotify failed to respond to their initial inquiries about the issue, the fake bands all disappeared not long after the article was published.
A cybersecurity graduate who also experienced the problem speculated that the incident could be linked to access tokens, which, for example, allow a user to log into Spotify with their Facebook account.
Facebook announced in September 2018 that access tokens from up to 50 million accounts had been compromised, although the number was eventually lowered to 30 million.
Although Facebook says it canceled access token for all affected accounts at the time, experts suggest that some may have been overlooked, which could explain why Spotify accounts are being forced to generate streams and possibly revenue for fake bands.
Spotify eventually confirmed to the BBC that the unknown artists had been removed from the platform but declined to say whether they had been paid.
“We take the artificial manipulation of streaming activity on our service extremely seriously,” the company said. “Spotify has multiple detection measures in place monitoring consumption on the service to detect, investigate and deal with such activity.”
Spotify also denied that the suspicious activity was tied to Facebook access tokens but failed to explain how accounts had been accessed.
While many unknowns remain, it appears entirely likely that someone has made off with thousands of dollars in the fake band debacle.
Mikael Thalen is a tech and security reporter based in Seattle, covering social media, data breaches, hackers, and more.