
Mystery tracks being 'forced' on your Spotify - Robin_Message
https://www.bbc.co.uk/news/blogs-trending-46898211
======
tikkabhuna
Very interesting! I had something that sounds similar to this a couple of
years ago.

My Spotify had a new music "Device" listed with a weird name. Frequently the
device would be selected and a song I'd never heard of would start playing,
with no sound as it went to the rogue music device.

On my Spotify account I could see a new linked application that I hadn't ever
setup. I deleted it, kicked out any logins that Spotify allowed me to do and
the problem went away for a day or so. Then it magically reappeared!

When I set up my account I did so with my Facebook account. At one point,
IIRC, you could have an account created via Facebook but that meant you always
had to log in using Facebook. They later changed this to allow you to set a
password and use either.

Assuming the worst I secured my Facebook account (password change/revoking
access/etc). No luck. What _did_ work was setting up a proper Spotify
password. I'd always logged in with Facebook and never bothered changing the
password when they added that feature. Once I changed it I could delete the
application, kick out any applications, and then it never came back.

Complete speculation: When Spotify allowed Facebook linked accounts to have a
separate password, they generated me a password that was "guessable" and
someone used it to access my account?

~~~
maslam
This literally happened to me. Unfortunately with both FB and Alexa. It's
concerning to say the least

~~~
qzy
Well, concerning... I mean, it's Spotify, not your email account.

~~~
fredoliveira
It is still their data.

~~~
maslam
Perhaps disorienting is a better word. It's really strange to see someone else
play music on your account.

------
HelenePhisher
It's quite clear to me that this s a fraud to make money. Those tracks are
produced by algorithms and played via access tokens gathered from sites like
the playlist converters floating around. Be wary of your account data and
check the access of 3rd party apps regularly.

[https://support.spotify.com/uk/account_payment_help/privacy/...](https://support.spotify.com/uk/account_payment_help/privacy/revoke-
access-from-3rd-party-app/) for information how to do that for Spotify.

~~~
usrusr
I wonder if those tracks have actually been played or if someone just found a
way to game the play counters. Lesson for anyone who ponders the idea of open
monetization models (the every-popular vision of giving X per month and having
it automatically split up and distributed to creators proportionally to actual
consumption): there will be bad actors trying to cheat.

PS: why is your username so perfectly on topic?

~~~
HelenePhisher
Haha, yeah, it really is! ;)

The other one is a good question as well. Spotify pays out when a song has
been listened to for at least 30 seconds. This has been abused in the past as
well: [https://qz.com/1212330/a-bulgarian-scheme-scammed-spotify-
fo...](https://qz.com/1212330/a-bulgarian-scheme-scammed-spotify-
for-1-million-without-breaking-a-single-law/)

The article says it is not clear if the fraudsters abused existing user
accounts or set up a farm. But apparently, the songs have been played. They
all were exactly 30 seconds long - this is the minimum play time for a song to
qualify for a payout.

~~~
usrusr
> They all were exactly 30 seconds

Talk about easy to spot! Maybe the defensive team is deliberately keeping
their countermeasures low-profile (don't block anything except payout) to make
it harder for attackers to iteratively adapt? Similar to the way shadowbanning
is magnitudes more effective than banning.

------
SmellyGeekBoy
This happened to me - apparently I spent 34 hours last year listening to a
song called "Bear Claws" by an artist called Andrew Brady. I did some digging
and all I could find was an Irish guy on Twitter with 2 tweets to his name.
The song and the artist no longer existed on Spotify last time I checked. The
odd thing is that these songs never seem to show up in my play history.

I did link Spotify to Facebook at one point, although I disabled all of my
external apps on the Facebook side a long time ago and have used my username /
password to log in ever since. I've never used a "playlist converter" or
linked anything else to Spotify, as far as I know. My password has always been
unique.

It should go without saying that if these access tokens have been breached
they really should be revoked. I imagine Spotify will finally do something
about it now that this has hit the mainstream press.

~~~
HelenePhisher
Did you disable your external apps or check them on the Spotify side as well?

[https://support.spotify.com/uk/account_payment_help/privacy/...](https://support.spotify.com/uk/account_payment_help/privacy/revoke-
access-from-3rd-party-app/) for instructions.

------
joeberon
This reminds me of a brief period (1 to 2 months) that I went through with
Spotify where I'd always open my Spotify to find it playing some random music
that I'd never heard of before. Usually some generic "Ibiza mix" stuff or
something.

Yet, I tried everything to stop it, assuming I had my account compromised: I
logged out all devices, changed my password, but nothing changed until one day
it randomly stopped.

They did not change anything at all on my Spotify account, it's as if they
just used my account to play music somewhere else. They also never hijacked it
while I was using it to try and play their music, it was only when I'd log on
it would be playing some other music.

~~~
retSava
It didn't show eg "now playing on Nexus" (or something like that)?

------
bostik
Funny, to me this sounds like a hash collision. (For a map key, not the
cryptographic kind.)

Knowing only that Spotify is a large distributed system, and seeing that the
mystery tracks are short in title and length, as well as plentiful, it feels
like a these tracks are ending up as collisions in a distributed hash table.

From there it'd be a matter of bubbling up top due to sorting order
properties.

~~~
Illniyar
Are you suggesting that spotify is somewherre using a hash-table without a
collision resolution method (like a linked list).

Is that something that is done in some industries? Hash collisions to me has
always been a performance problem not a correctness one.

~~~
bostik
Goodness me, no.

They could be fetching all values for a given key (for performance reasons,
since the seek for a read is surprisingly expensive). Depending on how they
then use that data, these short and plentiful tracks can end up being included
instead of dropped.

~~~
Illniyar
Sorry if I'm being obtuse but why would they be using a hash as a key instead
of a uuid? I've never heard of any distributed system (or any system) that use
hash as a key. Or are you saying there is somekind of auxiliary hash table in
use for performance somewhere?

~~~
kingosticks
Is it not fair to say that git is a distributed system using a hash as a key?

~~~
Illniyar
I suppose it is. Though it's not the sort of systems I meant in my reply.
Never even crossed my mind. P2P networks (like torrents) could probably also
count as ones.

------
JeanMarcS
I guess it’s like phone SPAM where you get a phone call from an overcharged
number and they hope some of the called will ring back (and then be charged
some euros or dollars).

Maybe they found a way to spam thousands of Spotify accounts, and hope that a
part of them gonna try to listen some out of curiosity.

If there are enough doing that, they’ll get royalties money from really played
music, and not from pseudo played track, which might be what Spotify monitors

------
bonaldi
Accounts are unquestionably being exploited (often via reused passwords). I,
along with others I know, have found mystery people squatting in my family
plan. I had assumed they were also what were contributing to these weird
artists in my history, but perhaps not.

Why does Spotify still not have 2FA? I get that legacy connected devices will
be a problem for them, but there are ways around that.

------
hiliev
To me it sounds like someone at Spotify messed up and ran dev experiments on
the production system instead in the staging environment.

~~~
byte1918
I initially thought the same but it's weird that some of these artists have
twitter accounts. As far as I know Spotify doesn't have any twitter support,
well, at least not on the current latest version.

------
kingosticks
Could this be done if a bad actor finds a website that embeds the Spotify
player/widget and also explicitly allows cross-origin requests?

------
mikelyons
Recently mysteriously had all my playlists deleted and lots of tracks I never
played had been played and weird playlists added in place of mine. Went and
reset all 3rd party access and reinstated my playlists and it hasn't happened
again since. I chalked it up to maybe logging in on someone elses mobile
device while travelling to play my playlist and then forgetting and then they
did it, but maybe it was bad actors over the internet. I'll never know.

------
no_gravity

        racking up thousands of listens and
        (perhaps) hundreds of pounds
    

I thought artists earn something like $5 per 1000 plays these days?

~~~
egoisticalgoat
According to an expert in the article, you can expect almost double that.

"[...] one expert, Mark Mulligan of Midia Research, told BBC Trending radio
that Bergenulo Five could have made about $500 to $600 (about £380 to £460)
from 60,000 streams"

~~~
schnevets
I love Spotify with two exceptions:

1\. They really need to pay their artists more

2\. They have no interest in their users organizing/tagging music, probably
because they want more control over what plays next via algorithms/playlists

Both of these have now culminated in a malicious actor completely ruining the
victim's user experience to make a couple hundred bucks.

------
aks232
Reused passwords that appears in breaches maybe?

~~~
egoisticalgoat
Doesn't seem to be the case, as people have already tried changing their
password.

From the article: >On Reddit, Callum Dixon wrote: "The same Bergenulo Five
keeps being played on my account and I've tried everything - changed my
password, logged out of everywhere. I can't stop it!"

~~~
HelenePhisher
Sounds like he enabled a shady 3rd party app on Spotify. Access tokens do not
change when the password is changed.

~~~
kingosticks
Is that normal? Shouldn't they all be redacted when you change your password
or is it a convenience feature that they are not?

------
candybar
Maybe these are test accounts/artists created/used by Spotify developers? I
don't know much about their culture but if there was an actual attack with
actual consequences and these accounts were removed as a result, they would've
said something.

------
mrmrcoleman
Something similar happens to me on YouTube 2-3 times per month.

I’ll go to my subscriptions and there will be videos in there from channels
that I never subscribed to, but I’m now subscribed.

------
jatsign
Off topic but somewhat related - my corporate overlords don't let us install
anything on our workstations and the browsers we use are old and not supported
by play.spotify.com.

Any bright ideas about how I can use spotify here?

~~~
retSava
On your account on your phone, make a playlist and download it (sth like "for
offline use"), then go offline at work. Limits what you can listen to
spontaneously, but you can simply take one of the "radios", copy to playlist,
make offline at home so you download over wifi, then remove and repeat for
each day. Nature finds a way.

------
emsy
I was hacked because at the time I set up a free account I used an old default
password I'm pretty sure shows up in a leaked dataset. I suddenly noticed
messages showing up that someone played music from a device I don't own. I
changed my password and deleted all offline devices. It's entirely my fault,
still it's odd that spotify wouldn't notify me of suspicious behaviour, since
they kind of pay for it too.

------
sandrobfc
This is why I refuse to play the Discover Weekly playlist. I strongly believe
that Spotify is getting money out of made up artists, with songs put up by
algorithms in some way, and that's the best way to get them to you.

Regarding the 'hacking', it never happened to me, but it's easy to see how
troublesome that may be. But that's what we get for trusting an application
that promises to get us free music forever. It had to have drawbacks,
eventually.

~~~
peteretep
> This is why I refuse to play the Discover Weekly playlist. I strongly
> believe that Spotify is getting money out of made up artists, with songs put
> up by algorithms in some way, and that's the best way to get them to you.

Flesh this out for me, because it's hilarious. How are Spotify making money
from that, exactly? I listen to Discover Weekly most weeks, and if Spotify is
generating them, then:

A) They're creating some amazing music, so more power to them

B) They're putting a hell of a lot of work into creating back stories for
these bands

~~~
sandrobfc
They are not making money from Discover Weekly, but they make money from made-
up artists, since they don't have to pay anyone to have that music up there.
It's easy to do the math from there.

The work they have in making a few artists up is nothing compared to what they
would have to pay for an actual artist to have their albuns there.

