An investigation by the BBC has explored the phenomenon of Spotify users who discovered in late 2018 that their accounts had been streaming music by artists they'd never heard of.
When Spotify unveiled its year-end streaming summary app in 2018, users were surprised to see artists with names like Bergenulo Five, Funkena, Hundra Ao, and Doublin Night. The BBC discovered common threads connecting the artists' profiles on Spotify: the artists usually employed cover art of black text over a bright colored background, songs with single word titles and short lengths, and did not exist on social media or IRL outside of Spotify. In a statement, Spotify said the fake artists have been removed from the service due to "abnormal streaming activity."
The BBC has deduced that the fake artists were likely used to generate royalty payments from the bogus streams. One artist, Bergenulo Five, reportedly generated over 60,000 streams, which one expert says could have led to a payout of between $500 to $600.
It is unclear how user accounts were breached to generate the streams. One theory involves "access tokens," which links users Facebook and Spotify accounts. In September 2017 Facebook announced that up to 50 million accounts may have had security permissions compromised - Facebook claims the affected tokens were all shut down, but security expert Tim Mackey told the BBC there's a chance that some of them could have been missed. Spotify has floated the possibility of an "account takeover," where Spotify accounts were compromised while personal information remained unaffected.
Read Spotify's statement to the BBC below:
“We take the artificial manipulation of streaming activity on our service extremely seriously. Spotify has multiple detection measures in place monitoring consumption on the service to detect, investigate and deal with such activity. We are continuing to invest heavily in refining those processes and improving methods of detection and removal, and reducing the impact of this unacceptable activity on legitimate creators, rights holders and our users.”