Spotify Data Scraping Explained: Why It's Not A Hack

Spotify users were left alarmed this week after online claims suggested the streaming giant had been hacked, with tens of millions of songs allegedly exposed. The headlines painted a dramatic picture of a compromised catalogue, but the reality is more nuanced.

Spotify has confirmed it was not hacked, but that an unauthorised third-party data scrape did take place, prompting fresh questions about how music platforms protect their vast libraries.

What Actually Happened

The confusion began after reports circulated online claiming that Spotify's entire music catalogue had been compromised. Those claims were linked to a blog post from Anna's Archive, a group known for archiving digital media, which initially suggested that Spotify data had been widely released on peer-to-peer networks.

Spotify has since clarified that no security breach occurred. Instead, the company identified unauthorised scraping activity by a third party, which accessed publicly available metadata and used illicit methods to reach some audio files. The distinction is significant, even if it was lost amid the initial surge of alarm.

What Data Was Accessed and What Was Not

An early report from Mandatory claimed that as many as 86 million audio files and hundreds of millions of rows of metadata were exposed. However, an updated statement from Anna's Archive later confirmed that only metadata was released publicly, not the audio files themselves.

Metadata includes information such as track titles, artist names, album details and release dates. While valuable at scale, it does not contain user passwords, payment details or private listening histories. Spotify has said there is no evidence that individual user accounts were compromised.

Spotify's Official Response

In a statement provided to Billboard, Spotify acknowledged the incident while rejecting claims of a hack. A company spokesperson said, 'An investigation into unauthorised access identified that a third party scraped public metadata and used illicit tactics to circumvent DRM to access some of the platform's audio files. We are actively investigating the incident.'

The reference to DRM, or digital rights management, has added to the confusion, as it suggests attempts to bypass safeguards around copyrighted material rather than a breach of Spotify's internal systems.

The Role of Anna's Archive

Anna's Archive framed the scraping operation as a 'preservation archive' effort, arguing that music could disappear if streaming platforms lose licensing rights. In its blog post, the group claimed that archiving Spotify's catalogue would help protect cultural material for the future.

Spotify has not endorsed that characterisation, and the legality of such activity remains highly contentious under copyright law. Music industry bodies have long argued that large-scale scraping and archiving undermines artists' rights and licensing agreements.

Industry Reaction and Expert Commentary

Reaction from the tech and music sectors was swift. Yoav Zimmerman, CEO and co-founder of Third Chair, commented on LinkedIn that the scale of the scrape could, in theory, allow individuals to recreate large personal music libraries using private media servers, though copyright law remains a major barrier.

Zimmerman also noted that the reported scale would dwarf existing open databases such as MusicBrainz, which contains around five million unique tracks, highlighting why the claims drew so much attention.

Why It Is Being Mistaken for a Hack

Terms such as 'scraped', 'leaked' and 'exposed' are often used interchangeably online, even though they describe very different activities. A hack typically involves breaching secure systems and accessing private user data. Scraping, by contrast, often targets publicly accessible information, albeit sometimes at scale and without permission.

In this case, the sheer volume of data involved helped fuel the misconception that Spotify itself had been breached.