Hacker News new | comments | ask | show | jobs | submit login
Mystery tracks being 'forced' on your Spotify (bbc.co.uk)
93 points by Robin_Message 23 days ago | hide | past | web | favorite | 62 comments

Very interesting! I had something that sounds similar to this a couple of years ago.

My Spotify had a new music "Device" listed with a weird name. Frequently the device would be selected and a song I'd never heard of would start playing, with no sound as it went to the rogue music device.

On my Spotify account I could see a new linked application that I hadn't ever setup. I deleted it, kicked out any logins that Spotify allowed me to do and the problem went away for a day or so. Then it magically reappeared!

When I set up my account I did so with my Facebook account. At one point, IIRC, you could have an account created via Facebook but that meant you always had to log in using Facebook. They later changed this to allow you to set a password and use either.

Assuming the worst I secured my Facebook account (password change/revoking access/etc). No luck. What did work was setting up a proper Spotify password. I'd always logged in with Facebook and never bothered changing the password when they added that feature. Once I changed it I could delete the application, kick out any applications, and then it never came back.

Complete speculation: When Spotify allowed Facebook linked accounts to have a separate password, they generated me a password that was "guessable" and someone used it to access my account?

This also happened to me! I think I reported the issue to an engineer at Soptify but I never heard back. If an engineer at Spotify wants to chat about it, my email is my username @gmail.com.

This literally happened to me. Unfortunately with both FB and Alexa. It's concerning to say the least

Well, concerning... I mean, it's Spotify, not your email account.

It is still their data.

Perhaps disorienting is a better word. It's really strange to see someone else play music on your account.

I had exactly the same issue. But in my case I setup a device password that probably was in one of the PW leaks. I was listening to spotify on my phone and suddenly it switched to a different device unknown to me and played mostly latin songs. When I changed the device pw it stopped

It's quite clear to me that this s a fraud to make money. Those tracks are produced by algorithms and played via access tokens gathered from sites like the playlist converters floating around. Be wary of your account data and check the access of 3rd party apps regularly.

https://support.spotify.com/uk/account_payment_help/privacy/... for information how to do that for Spotify.

I wonder if those tracks have actually been played or if someone just found a way to game the play counters. Lesson for anyone who ponders the idea of open monetization models (the every-popular vision of giving X per month and having it automatically split up and distributed to creators proportionally to actual consumption): there will be bad actors trying to cheat.

PS: why is your username so perfectly on topic?

Haha, yeah, it really is! ;)

The other one is a good question as well. Spotify pays out when a song has been listened to for at least 30 seconds. This has been abused in the past as well: https://qz.com/1212330/a-bulgarian-scheme-scammed-spotify-fo...

The article says it is not clear if the fraudsters abused existing user accounts or set up a farm. But apparently, the songs have been played. They all were exactly 30 seconds long - this is the minimum play time for a song to qualify for a payout.

> They all were exactly 30 seconds

Talk about easy to spot! Maybe the defensive team is deliberately keeping their countermeasures low-profile (don't block anything except payout) to make it harder for attackers to iteratively adapt? Similar to the way shadowbanning is magnitudes more effective than banning.

This happened to me - apparently I spent 34 hours last year listening to a song called "Bear Claws" by an artist called Andrew Brady. I did some digging and all I could find was an Irish guy on Twitter with 2 tweets to his name. The song and the artist no longer existed on Spotify last time I checked. The odd thing is that these songs never seem to show up in my play history.

I did link Spotify to Facebook at one point, although I disabled all of my external apps on the Facebook side a long time ago and have used my username / password to log in ever since. I've never used a "playlist converter" or linked anything else to Spotify, as far as I know. My password has always been unique.

It should go without saying that if these access tokens have been breached they really should be revoked. I imagine Spotify will finally do something about it now that this has hit the mainstream press.

Did you disable your external apps or check them on the Spotify side as well?

https://support.spotify.com/uk/account_payment_help/privacy/... for instructions.

I can only find one song by Andrew Brady named "Fairytale of New York". Actually quite a good song. Also lots of lyrics - so not really the kind referred to in the article.

This reminds me of a brief period (1 to 2 months) that I went through with Spotify where I'd always open my Spotify to find it playing some random music that I'd never heard of before. Usually some generic "Ibiza mix" stuff or something.

Yet, I tried everything to stop it, assuming I had my account compromised: I logged out all devices, changed my password, but nothing changed until one day it randomly stopped.

They did not change anything at all on my Spotify account, it's as if they just used my account to play music somewhere else. They also never hijacked it while I was using it to try and play their music, it was only when I'd log on it would be playing some other music.

It didn't show eg "now playing on Nexus" (or something like that)?

Funny, to me this sounds like a hash collision. (For a map key, not the cryptographic kind.)

Knowing only that Spotify is a large distributed system, and seeing that the mystery tracks are short in title and length, as well as plentiful, it feels like a these tracks are ending up as collisions in a distributed hash table.

From there it'd be a matter of bubbling up top due to sorting order properties.

Are you suggesting that spotify is somewherre using a hash-table without a collision resolution method (like a linked list).

Is that something that is done in some industries? Hash collisions to me has always been a performance problem not a correctness one.

Goodness me, no.

They could be fetching all values for a given key (for performance reasons, since the seek for a read is surprisingly expensive). Depending on how they then use that data, these short and plentiful tracks can end up being included instead of dropped.

Sorry if I'm being obtuse but why would they be using a hash as a key instead of a uuid? I've never heard of any distributed system (or any system) that use hash as a key. Or are you saying there is somekind of auxiliary hash table in use for performance somewhere?

Git was already mentioned as an example, but there is a more generic answer to your question. Look up https://en.wikipedia.org/wiki/Content-addressable_storage ; the design is basically a DHT. Key collisions are standard feature in any hash table.

In any hash table, collisions are unavoidable. In a distributed KV store, the collision resolution might be done at a higher level, so any lookup reads all the values for a given key. The reason is simple: opportunistic caching. Sometimes you get lucky and are asked for two or more items that hash to the same key within cache expiration window. If you can avoid a read just 0.1% of the time, that's an improvement on tail latency AND it just left capacity available for other clients to do their reads.

We are all aware Spotify stores a lot of media. I know nothing about their internal architecture, but they might use hash of the track metadata as its content key. If assumptions (or "happy optimisations") about their size distribution don't hold, some extra tracks could end up getting through.

Is it not fair to say that git is a distributed system using a hash as a key?

I suppose it is. Though it's not the sort of systems I meant in my reply. Never even crossed my mind. P2P networks (like torrents) could probably also count as ones.

I could be wrong but the suggestion seems to be that plays are hashed before storage and the tracks exploit the hash algorithm in use.

That, to me, seems far less likely than simple account compromise.

Hash collisions have always been a security threat vector.

Definite hash collision, or similar id mismatch. And being included in more aggregated cohort data of suggested music by being overplayed.

I recently tried to play a track and it kept playing a completely different artist and track instead every time I clicked on it. I moaned on Twitter [1] and Spotify replied that the Linux client is not supported... Which is true, just not very helpful, when all I tried was to help them.

[1] https://twitter.com/flurdy/status/1072134634828390400

It can't be a hash collision if the mysterious tracks/artists are no longer on Spotify. If Spotify deleted the artists or tracks instead of giving them new ids, that suggests something else is going on.

If it sounds to like that

then listen closer

as you will hear nothing but silence

for those songs do not exist.

I guess it’s like phone SPAM where you get a phone call from an overcharged number and they hope some of the called will ring back (and then be charged some euros or dollars).

Maybe they found a way to spam thousands of Spotify accounts, and hope that a part of them gonna try to listen some out of curiosity.

If there are enough doing that, they’ll get royalties money from really played music, and not from pseudo played track, which might be what Spotify monitors

Accounts are unquestionably being exploited (often via reused passwords). I, along with others I know, have found mystery people squatting in my family plan. I had assumed they were also what were contributing to these weird artists in my history, but perhaps not.

Why does Spotify still not have 2FA? I get that legacy connected devices will be a problem for them, but there are ways around that.

To me it sounds like someone at Spotify messed up and ran dev experiments on the production system instead in the staging environment.

I initially thought the same but it's weird that some of these artists have twitter accounts. As far as I know Spotify doesn't have any twitter support, well, at least not on the current latest version.

Could this be done if a bad actor finds a website that embeds the Spotify player/widget and also explicitly allows cross-origin requests?

Recently mysteriously had all my playlists deleted and lots of tracks I never played had been played and weird playlists added in place of mine. Went and reset all 3rd party access and reinstated my playlists and it hasn't happened again since. I chalked it up to maybe logging in on someone elses mobile device while travelling to play my playlist and then forgetting and then they did it, but maybe it was bad actors over the internet. I'll never know.

    racking up thousands of listens and
    (perhaps) hundreds of pounds
I thought artists earn something like $5 per 1000 plays these days?

According to an expert in the article, you can expect almost double that.

"[...] one expert, Mark Mulligan of Midia Research, told BBC Trending radio that Bergenulo Five could have made about $500 to $600 (about £380 to £460) from 60,000 streams"

I love Spotify with two exceptions:

1. They really need to pay their artists more

2. They have no interest in their users organizing/tagging music, probably because they want more control over what plays next via algorithms/playlists

Both of these have now culminated in a malicious actor completely ruining the victim's user experience to make a couple hundred bucks.

Reused passwords that appears in breaches maybe?

It was the case for me last year. I never changed the weak password that I used to create a free account. And the email address was breached in the 2012 LinkedIn hack. The attacker changed the account email to a temporary one and removed all my playlists.

Spotify reacted rapidly and restored my account in few days. But it looks suspicions to me that the attacker was able to change my email without Spotify sending me a confirmation first (my email account was not broken). Also Spotify is missing 2FA that would have prevented this.

Doesn't seem to be the case, as people have already tried changing their password.

From the article: >On Reddit, Callum Dixon wrote: "The same Bergenulo Five keeps being played on my account and I've tried everything - changed my password, logged out of everywhere. I can't stop it!"

Sounds like he enabled a shady 3rd party app on Spotify. Access tokens do not change when the password is changed.

Is that normal? Shouldn't they all be redacted when you change your password or is it a convenience feature that they are not?

Yup sounds to me like someone got a list of valid Spotify accounts from the recent big breaches, then installed an authorised app to play fake artist songs they generated, to reap in some Spotify profits?

One guy quoted in the article claims he changed his password a bunch of times and since he's a 'cybersecurity graduate' I'd expect him not to have reused passwords.

I wouldn't put much faith in anything that involves the word "cybersecurity".

I wouldn't put much faith in any graduate, frankly, regardless of discipline. Until they've had a decade to mis-apply what's in their head and make mistakes.

Maybe these are test accounts/artists created/used by Spotify developers? I don't know much about their culture but if there was an actual attack with actual consequences and these accounts were removed as a result, they would've said something.

Something similar happens to me on YouTube 2-3 times per month.

I’ll go to my subscriptions and there will be videos in there from channels that I never subscribed to, but I’m now subscribed.

Off topic but somewhat related - my corporate overlords don't let us install anything on our workstations and the browsers we use are old and not supported by play.spotify.com.

Any bright ideas about how I can use spotify here?

On your account on your phone, make a playlist and download it (sth like "for offline use"), then go offline at work. Limits what you can listen to spontaneously, but you can simply take one of the "radios", copy to playlist, make offline at home so you download over wifi, then remove and repeat for each day. Nature finds a way.

I think there are some web services which open up a web page in a specific browser version and stream that back to you. Perhaps you can try and have them run it in a newer browser.

I can't name a site off the top of my head, but googling will probably work.

The obvious thing to me seems to be BYOD e.g. smartphone or tablet you can stash in a drawer or keep in your pocket while using it for Spotify. I guess you've already thought about that and it's ruled out for some reason.

Listen on your mobile device.

Haven't used it, but perhaps Tizonia?

I was hacked because at the time I set up a free account I used an old default password I'm pretty sure shows up in a leaked dataset. I suddenly noticed messages showing up that someone played music from a device I don't own. I changed my password and deleted all offline devices. It's entirely my fault, still it's odd that spotify wouldn't notify me of suspicious behaviour, since they kind of pay for it too.

This is why I refuse to play the Discover Weekly playlist. I strongly believe that Spotify is getting money out of made up artists, with songs put up by algorithms in some way, and that's the best way to get them to you.

Regarding the 'hacking', it never happened to me, but it's easy to see how troublesome that may be. But that's what we get for trusting an application that promises to get us free music forever. It had to have drawbacks, eventually.

> This is why I refuse to play the Discover Weekly playlist. I strongly believe that Spotify is getting money out of made up artists, with songs put up by algorithms in some way, and that's the best way to get them to you.

Flesh this out for me, because it's hilarious. How are Spotify making money from that, exactly? I listen to Discover Weekly most weeks, and if Spotify is generating them, then:

A) They're creating some amazing music, so more power to them

B) They're putting a hell of a lot of work into creating back stories for these bands

They are not making money from Discover Weekly, but they make money from made-up artists, since they don't have to pay anyone to have that music up there. It's easy to do the math from there.

The work they have in making a few artists up is nothing compared to what they would have to pay for an actual artist to have their albuns there.

I wouldn't be afraid of the Discover Weekly playlist. I think it's Spotify's best feature. For me, it surfaces great songs & artists I hadn't heard before, and sometimes it's almost spookily accurate.

For Discover Weekly to work though, it helps to feed it good data. It's based on a PageRank-like system, but instead of webpages it's based on user playlists [1]. If you create some of your own playlists, it will go and find other songs that appear regularly on similar playlists. Personally, I've made a large 800-track playlist of music I listen to while coding ([2] if anyone else is interested), and another with every song ever played at a goth/industrial nightclub I used to go to.

I rarely see "made up" artists, but I often like the ones I have been recommended - I really like "Time" on Nowi's EP called Reunion. It's actually made by Firefly Entertainment [3], a Swedish music production company that usually makes film & TV show soundtracks.

[1] https://www.theverge.com/2015/9/30/9416579/spotify-discover-...

[2] https://open.spotify.com/user/syneryder/playlist/5YpeoHyEHG7...

[3] http://hellofirefly.com/

You should share that goth/industrial list too, I love that stuff.

Seems I'd accidentally made the goth nightclub playlist public anyway - here's the link, though it isn't as well maintained as the other playlist:


Do you have any proof whatsoever to support your bold statements? My Discover Weekly is usually great every week and I've discovered many (real!) cool artists that I like through it.

It's possible there's a lot of low quality filler music on Spotify and that your account got algorithmically lumped in the bucket to get there recommended, but to say Spotify is "in on it" seems like a very big leap.

I just can't trust it when an instrumental song by a band that I can't find anywhere else kicks in. I'm not saying that Discover Weekly can't provide you great artists that you don't know, but I can't trust it. It leaves me with the sense that I've been tricked and I'd rather avoid it all together.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact