Company says attackers collected songs and music catalog information without authorization, without affecting user data
The reported this Monday (Dec 22, 2025) that it deactivated accounts used by a group of hackers who claim to have copied a large part of the platform’s catalog. The company declared that the episode had no impact on user data or accounts.
According to the company, there was illegal collection of music using a technique known as “scraping”which consists of the use of automated programs to access the service repeatedly and copy content and information en masse, without authorization.
The collective, known for maintaining digital archives of books and academic articles, on its blog managed to copy audio files of approximately 86 million songs and metadata (technical and descriptive information, such as title, artist, album, duration and identification codes) of approximately 256 million tracks.
According to the hacker group, the material gathered totals close to 300 TB (terabytes) and represents more than 99% of the songs played on the Swedish streaming service.
Anna’s Archive states that the initiative is for cultural preservation, with the aim of preventing music from disappearing if platforms lose licenses or close activities.
“It is the world’s first fully open music ‘preservation archive’ (i.e., can be easily mirrored by anyone with enough disk space), with 86 million music files, representing about 99.6% of reproductions. Anna’s Archive typically focuses on texts (e.g., books and articles). We explain in ” that we do this because text has the highest information density. But our mission (preserving humanity’s knowledge and culture) does not distinguish between types media. Sometimes an opportunity arises outside of the text.declared the collective.
The group admits, however, that large-scale extraction violates terms of use and copyright laws. Some of the material began to be distributed through torrent networks, organized by track popularity.
In a statement, Spotify stated that it identified and removed the accounts involved in hacking activity and that it is strengthening its security systems. The company acknowledged that third parties used “illegal tactics” to circumvent copyright protection mechanisms and access part of the content, but did not confirm or deny the size of the collection that would have been copied.
“We have implemented new security measures to combat these types of copyright infringement attacks and are actively monitoring any suspicious activity”the company stated.
The platform also said that the episode did not affect users and did not result in a leak of personal data. According to Spotify, the collection mainly involved public metadata and some audio files, obtained in an unauthorized way.
Spotify continues to investigate the case and said it works with industry partners to curb piracy and protect artists and creators. The company did not say whether it intends to take legal action against those responsible for collecting and disseminating the material.
