If you've got mystery artists in your Spotify history, here's why
Roger FingasOne of the now-removed 'mysterycore' artists.
A number of Spotify listeners are encountering unknown artists in their play histories, something that appears connected to a 2018 security breach at Facebook.
The bands include names like "Bergenulo Five," "Onxyia," and "Dj Bruej," whose songs are short and simply named with few to no lyrics and generic cover art, BBC News said on Friday. The acts have no social media presence or concert listings, and BBC attempts to contact them were futile.
They've nevertheless racked up tens of thousands of streams in some instances, enough to earn hundreds of dollars in royalties, though Spotify declined to say whether it had actually issued any payouts. Most or all of the artists have been purged from the service following BBC inquiries.
Many listeners only discovered the issue recently when Spotify launched an option to share 2018 music habits on the Web, learning that the mystery bands somehow made it into their top five despite never hearing about or searching for them. It's unknown exactly how many people have been impacted.
This prompted at least some to assume their accounts had been hacked, yet even people who logged out and changed their passwords were still encountering the problem. Spotify said it has "multiple detection measures in place" to counter fraudulent streaming, though if so it's not clear why they didn't catch the mystery artists until they were pointed out.
In September 2018 Facebook acknowledged that hackers exploited a Web vulnerability to steal nearly 50 million access tokens. While Facebook said it cancelled any tokens affected by the incident, some could theoretically have been missed and used to log into Spotify accounts.
Facebook is an option for listeners who don't want to resort to manual logins, and the first mystery artists began appearing in October. Spotify also opened direct artist uploads in September, helping independent artists who previously had to go through record labels and publishers.
Apple Music would be invulnerable to such an exploit unless hackers some how got their hands on an Apple ID access token. Even then Apple is believed to exert tighter restrictions on who can submit music.
Malcolm Owen
Amber Neely
Andrew Orr
William Gallagher
Christine McKee
2 Comments
NEVER use your FB login credentials to log into ANY other service. Every website login should be unique, and this is a mild example of why.
Is this original research and the root cause, or is it conjecture? It seems to be conjecture because from my limited understanding of OAuth, the credentials are only good per session (can override) and per site. Otherwise you'll have to re-authenticate i.e. get another token. OpenID/OAuth is way safer than getting the user to enter a password and was designed to prevent scenarios like what was claimed.