Spotify, the world’s most popular music streaming service, is investigating a possible cybersecurity incident that may have exposed nearly its entire catalog. The scale of the case has raised alarms among users, artists, and technology experts, as it could represent one of the largest exposures ever recorded within the music streaming ecosystem.
The incident has been attributed to the so-called “archivist” collective known as Anna’s Archive, which claims to have obtained information associated with approximately 99.6% of the music catalog available on the platform.
Anna’s Archive describes itself as a nonprofit, open-source digital library focused on centralizing and facilitating free access to books, academic articles, and other digital content. Its actions, which often generate controversy, are carried out under the premise of preserving and disseminating knowledge, even when some of the material is protected by copyright.
Spotify Hack: What Does It Mean That 99.6% of the Music Is Affected?
Spotify reported that it disabled several accounts linked to a hacktivist collective that claimed to have “copied” millions of music files and large volumes of metadata from its streaming platform.
In a post on its blog, Anna’s Archive stated that it managed to copy 86 million songs along with metadata from 256 million tracks using a technique known as scraping, with the goal of building a so-called open archive for music preservation.
According to the group itself, those 86 million audio files would represent more than 99.6% of listening activity on Spotify, while the metadata collection would cover 99.9% of the platform’s total catalog.
The incident, which reportedly did not affect user accounts or personal data, implies that, at least in theory, this information could be used to create an alternative, freely accessible music archive. However, in practice, any such initiative would quickly face legal action from rights holders.
Spotify confirmed its response to these activities. “The company identified and disabled malicious user accounts involved in illegal scraping practices,” the company said in an official statement.
What is Scraping and Why is It Considered an Illegal Practice?
Scraping is a technique that allows the automated extraction of large volumes of information from a digital platform, typically without the service provider’s consent. This method often exploits public interfaces or vulnerabilities to collect data at scale.
While scraping can have legitimate uses in certain contexts, in this case it was allegedly used to copy music and metadata protected by copyright, making it an illegal practice. In theory, the obtained information could be used to create free-access music archives, but any attempt to distribute or reuse such content would be swiftly challenged by copyright holders.
Read more: Benefits of Outsourcing Your Incident Response
Spotify Disables Accounts and Strengthens Its Security Systems
After detecting irregular activity, Spotify said it acted immediately. The company confirmed that it identified and disabled accounts linked to malicious users involved in illegal scraping practices, according to an official statement.
In addition to shutting down these access points, the platform said it implemented new security barriers to reduce the risk of similar incidents recurring and that it continues to closely monitor suspicious behavior across its service.
Spotify used the incident to reiterate its stance against digital piracy and its commitment to protecting music content. The company explained that it has reinforced security measures specifically aimed at preventing attacks on copyright, while also intensifying active monitoring across its ecosystem.
In this regard, it emphasized its support for creators and the music industry. The company recalled that, since its early days, it has worked alongside artists and industry partners to defend copyright and protect the value of content against unauthorized use.
An Incident With No Impact on Users
Finally, Spotify stressed that the episode had no impact on users, as no accounts, personal data, or payment methods were compromised. According to the company, the issue was limited exclusively to the unauthorized extraction of content.
The platform stated that it will continue strengthening its security systems to protect its music catalog and prevent third parties from using the service for illegal purposes.