My Spotify had a new music "Device" listed with a weird name. Frequently the device would be selected and a song I'd never heard of would start playing, with no sound as it went to the rogue music device.
On my Spotify account I could see a new linked application that I hadn't ever setup. I deleted it, kicked out any logins that Spotify allowed me to do and the problem went away for a day or so. Then it magically reappeared!
When I set up my account I did so with my Facebook account. At one point, IIRC, you could have an account created via Facebook but that meant you always had to log in using Facebook. They later changed this to allow you to set a password and use either.
Assuming the worst I secured my Facebook account (password change/revoking access/etc). No luck. What did work was setting up a proper Spotify password. I'd always logged in with Facebook and never bothered changing the password when they added that feature. Once I changed it I could delete the application, kick out any applications, and then it never came back.
Complete speculation: When Spotify allowed Facebook linked accounts to have a separate password, they generated me a password that was "guessable" and someone used it to access my account?
https://support.spotify.com/uk/account_payment_help/privacy/... for information how to do that for Spotify.
PS: why is your username so perfectly on topic?
The other one is a good question as well. Spotify pays out when a song has been listened to for at least 30 seconds. This has been abused in the past as well: https://qz.com/1212330/a-bulgarian-scheme-scammed-spotify-fo...
The article says it is not clear if the fraudsters abused existing user accounts or set up a farm. But apparently, the songs have been played. They all were exactly 30 seconds long - this is the minimum play time for a song to qualify for a payout.
Talk about easy to spot! Maybe the defensive team is deliberately keeping their countermeasures low-profile (don't block anything except payout) to make it harder for attackers to iteratively adapt? Similar to the way shadowbanning is magnitudes more effective than banning.
I did link Spotify to Facebook at one point, although I disabled all of my external apps on the Facebook side a long time ago and have used my username / password to log in ever since. I've never used a "playlist converter" or linked anything else to Spotify, as far as I know. My password has always been unique.
It should go without saying that if these access tokens have been breached they really should be revoked. I imagine Spotify will finally do something about it now that this has hit the mainstream press.
https://support.spotify.com/uk/account_payment_help/privacy/... for instructions.
Yet, I tried everything to stop it, assuming I had my account compromised: I logged out all devices, changed my password, but nothing changed until one day it randomly stopped.
They did not change anything at all on my Spotify account, it's as if they just used my account to play music somewhere else. They also never hijacked it while I was using it to try and play their music, it was only when I'd log on it would be playing some other music.
Knowing only that Spotify is a large distributed system, and seeing that the mystery tracks are short in title and length, as well as plentiful, it feels like a these tracks are ending up as collisions in a distributed hash table.
From there it'd be a matter of bubbling up top due to sorting order properties.
Is that something that is done in some industries? Hash collisions to me has always been a performance problem not a correctness one.
They could be fetching all values for a given key (for performance reasons, since the seek for a read is surprisingly expensive). Depending on how they then use that data, these short and plentiful tracks can end up being included instead of dropped.
In any hash table, collisions are unavoidable. In a distributed KV store, the collision resolution might be done at a higher level, so any lookup reads all the values for a given key. The reason is simple: opportunistic caching. Sometimes you get lucky and are asked for two or more items that hash to the same key within cache expiration window. If you can avoid a read just 0.1% of the time, that's an improvement on tail latency AND it just left capacity available for other clients to do their reads.
We are all aware Spotify stores a lot of media. I know nothing about their internal architecture, but they might use hash of the track metadata as its content key. If assumptions (or "happy optimisations") about their size distribution don't hold, some extra tracks could end up getting through.
That, to me, seems far less likely than simple account compromise.
Hash collisions have always been a security threat vector.
I recently tried to play a track and it kept playing a completely different artist and track instead every time I clicked on it. I moaned on Twitter  and Spotify replied that the Linux client is not supported... Which is true, just not very helpful, when all I tried was to help them.
then listen closer
as you will hear nothing but silence
for those songs do not exist.
Maybe they found a way to spam thousands of Spotify accounts, and hope that a part of them gonna try to listen some out of curiosity.
If there are enough doing that, they’ll get royalties money from really played music, and not from pseudo played track, which might be what Spotify monitors
Why does Spotify still not have 2FA? I get that legacy connected devices will be a problem for them, but there are ways around that.
racking up thousands of listens and
(perhaps) hundreds of pounds
"[...] one expert, Mark Mulligan of Midia Research, told BBC Trending radio that Bergenulo Five could have made about $500 to $600 (about £380 to £460) from 60,000 streams"
1. They really need to pay their artists more
2. They have no interest in their users organizing/tagging music, probably because they want more control over what plays next via algorithms/playlists
Both of these have now culminated in a malicious actor completely ruining the victim's user experience to make a couple hundred bucks.
Spotify reacted rapidly and restored my account in few days. But it looks suspicions to me that the attacker was able to change my email without Spotify sending me a confirmation first (my email account was not broken). Also Spotify is missing 2FA that would have prevented this.
From the article:
>On Reddit, Callum Dixon wrote: "The same Bergenulo Five keeps being played on my account and I've tried everything - changed my password, logged out of everywhere. I can't stop it!"
I’ll go to my subscriptions and there will be videos in there from channels that I never subscribed to, but I’m now subscribed.
Any bright ideas about how I can use spotify here?
I can't name a site off the top of my head, but googling will probably work.
Regarding the 'hacking', it never happened to me, but it's easy to see how troublesome that may be. But that's what we get for trusting an application that promises to get us free music forever. It had to have drawbacks, eventually.
Flesh this out for me, because it's hilarious. How are Spotify making money from that, exactly? I listen to Discover Weekly most weeks, and if Spotify is generating them, then:
A) They're creating some amazing music, so more power to them
B) They're putting a hell of a lot of work into creating back stories for these bands
The work they have in making a few artists up is nothing compared to what they would have to pay for an actual artist to have their albuns there.
For Discover Weekly to work though, it helps to feed it good data. It's based on a PageRank-like system, but instead of webpages it's based on user playlists . If you create some of your own playlists, it will go and find other songs that appear regularly on similar playlists. Personally, I've made a large 800-track playlist of music I listen to while coding ( if anyone else is interested), and another with every song ever played at a goth/industrial nightclub I used to go to.
I rarely see "made up" artists, but I often like the ones I have been recommended - I really like "Time" on Nowi's EP called Reunion. It's actually made by Firefly Entertainment , a Swedish music production company that usually makes film & TV show soundtracks.
It's possible there's a lot of low quality filler music on Spotify and that your account got algorithmically lumped in the bucket to get there recommended, but to say Spotify is "in on it" seems like a very big leap.