A number of Spotify listeners are encountering unknown artists in their play histories, something that appears connected to a 2018 security breach at Facebook.
One of the now-removed 'mysterycore' artists.
The bands include names like "Bergenulo Five," "Onxyia," and "Dj Bruej," whose songs are short and simply named with few to no lyrics and generic cover art, BBC News said on Friday. The acts have no social media presence or concert listings, and BBC attempts to contact them were futile.
They've nevertheless racked up tens of thousands of streams in some instances, enough to earn hundreds of dollars in royalties, though Spotify declined to say whether it had actually issued any payouts. Most or all of the artists have been purged from the service following BBC inquiries.
Many listeners only discovered the issue recently when Spotify launched an option to share 2018 music habits on the Web, learning that the mystery bands somehow made it into their top five despite never hearing about or searching for them. It's unknown exactly how many people have been impacted.
This prompted at least some to assume their accounts had been hacked, yet even people who logged out and changed their passwords were still encountering the problem. Spotify said it has "multiple detection measures in place" to counter fraudulent streaming, though if so it's not clear why they didn't catch the mystery artists until they were pointed out.
In September 2018 Facebook acknowledged that hackers exploited a Web vulnerability to steal nearly 50 million access tokens. While Facebook said it cancelled any tokens affected by the incident, some could theoretically have been missed and used to log into Spotify accounts.
Facebook is an option for listeners who don't want to resort to manual logins, and the first mystery artists began appearing in October. Spotify also opened direct artist uploads in September, helping independent artists who previously had to go through record labels and publishers.
Apple Music would be invulnerable to such an exploit unless hackers some how got their hands on an Apple ID access token. Even then Apple is believed to exert tighter restrictions on who can submit music.