Spotify users believe their accounts may have been compromised after noticing fake bands appear unexpectedly in their playlists, the BBC reports.
The incident began last December when users of the music streaming service began reporting that their accounts indicated that they had frequently listened to artists they’d actually never heard of.
The unknown bands have garnered thousands of streams from unsuspecting users and have potentially earned thousands of dollars in the process.
Some of the music groups’ names include “Bergenulo Five, Bratte Night, DJ Bruej and Doublin Night.” Their songs are as short as one minute long, often contain little to no lyrics, and feature “generic cover art, and short, non-descriptive song titles.”
A search by the BBC for any content from the artists’ outside of Spotify also returned “no fan pages, no concert listings, social media accounts or even photos of the actual musicians.”
Many Spotify users shared their confusion on Twitter after noticing the bands mysteriously appear among their top artists for the year 2018.
My @Spotify got hacked into this year, so I've no idea who DJ Echores or Bergenulo Five are… but "The Louder I Call, The Faster It Runs" by @wyeoak is seriously special.
— GRAEME (@FossilArcade) December 10, 2018
Highly recommended to all high jackers and account thieves everywhere. pic.twitter.com/mo9moUbSRl
Although the BBC says that Spotify failed to respond to their initial inquiries about the issue, the fake bands all disappeared not long after the article was published.
A cybersecurity graduate who also experienced the problem speculated that the incident could be linked to access tokens, which, for example, allow a user to log into Spotify with their Facebook account.
Facebook announced in September 2018 that access tokens from up to 50 million accounts had been compromised, although the number was eventually lowered to 30 million.
Although Facebook says it canceled access token for all affected accounts at the time, experts suggest that some may have been overlooked, which could explain why Spotify accounts are being forced to generate streams and possibly revenue for fake bands.
Spotify eventually confirmed to the BBC that the unknown artists had been removed from the platform but declined to say whether they had been paid.
“We take the artificial manipulation of streaming activity on our service extremely seriously,” the company said. “Spotify has multiple detection measures in place monitoring consumption on the service to detect, investigate and deal with such activity.”
Spotify also denied that the suspicious activity was tied to Facebook access tokens but failed to explain how accounts had been accessed.
While many unknowns remain, it appears entirely likely that someone has made off with thousands of dollars in the fake band debacle.
H/T BBC