Mysterious, non-existent artists racked up thousands of listens on hijacked Spotify playlists

  • Some Spotify accounts were hijacked to play bogus music from fake bands, presumably to generate revenue in royalties.
  • BBC journalist Jonathan Griffin found reports of seemingly non-existent bands showing up unexpectedly on people's Spotify playlists.
  • One theory in the report is that hackers were able to gain access through the massive Facebook security breach in September.
  • Spotify denied this in a statement to Business Insider, but offered no explanation of where the mystery artists came from. It confirmed that it has removed them from the platform.

Strange and seemingly non-existent artists have inveigled their way onto unsuspecting Spotify users' playlists, in a mysterious phenomenon first reported by the BBC.

In a statement to Business Insider today, Spotify confirmed that "abnormal streaming activity" had taken place. It also said it takes any "artificial manipulation" music streams seriously.

BBC journalist Jonathan Griffin found reports of mysterious unknown bands showing up unexpectedly on people's Spotify playlists. The artists were all unfindable outside of Spotify. Griffin honed in on one band — "Bergenulo Five" – as a typical example.

Bergenulo Five's Spotify presence was puzzling to say the least. They had two albums up, one titled "Sunshine Here" and another called "Hit It Now." The albums' cover art was similar and simple, black text on a bright background.

Each album boasted 40 songs of one to two minutes in length, devoid of verses or choruses. They had apparently garnered almost 60,000 listens.

A Reddit post from October 2018 shows a user who'd encountered Bergenulo Five on Spotify (and reportedly Deezer, although Business Insider was unable to find it on there). The Reddit user commented that the band looked as if it was "generated by a bot or something."

Spotify declined to provide Griffin with details of the mystery artists, and promptly deleted them from the platform.

In a statement to Business Insider, a Spotify spokeswoman said:

"We take the artificial manipulation of streaming activity on our service extremely seriously. Spotify has multiple detection measures in place monitoring consumption on the service to detect, investigate and deal with such activity. These artists were removed because we detected abnormal streaming activity in relation to their content."

Spotify keeps stumm

The bands' purpose on the platform is still up for the debate. In the October Reddit post, the user speculated that the strawman artists had been set up to generate revenue, which could be racked up by hacked accounts. A media analyst told Griffin that Bergenulo could have potentially earned $500 to $600 in royalties for 60,000 streams.

A theory in Griffin's report is that hackers could have used "access tokens" to hijack people's playlists. Access tokens allow people to log in to Spotify through Facebook, and many were stolen en masse in September when Facebook announced a huge hack of almost 50 million users.

When contacted by Business Insider, Facebook said it had found no evidence that third-party apps like Spotify had been accessed using the stolen access tokens.

Read more: The Facebook hack affecting 50 million people also let the attackers access users' Tinder, Spotify, and Instagram accounts

Spotify denied that the mystery artists were connected to the Facebook access token breach when contacted by Griffin. It did not, however, offer an alternative explanation for the streams.

Signup Today: Connectivity and Tech Pro by Business Insider Intelligence