Panda SecurityHackers from a hacktivist group called Anna’s Archive have managed to steal approximately 86 million music files from Spotify. The activists claim to be in possession of nearly 300TB music files and are planning to release it to the public. They have already shared metadata of the files and will likely share the actual music files in early 2026. The activists do not demand ransom from Spotify nor are after monetary gain, but claim to be making up an effort to “back up” Spotify’s music in order to preserve it by allowing anyone with enough disk space to “mirror” the files.
Key takeaways
- Hacktivists claim to be in the process of creating a massive unauthorized backup of popular music by scraping nearly 300TB of data from Spotify.
- Spotify was not asked to pay a ransom, nor were they given an opportunity to patch the security loophole.
- The streaming platform stated that the scraping is against its user policy and reassured its 700 million userbase that the hackers breached no personal information.
- The music files might become public soon and could be used by anyone to train AI systems without the artists’ consent.
How big is Spotify’s music catalog?
The Swedish audio streaming and media service provider is one of the largest digital music streaming companies in the world altogether with SoundCloud and YouTube music. Spotify has hundreds of million of tracks and the hackers claim to be in possession on approximately 37% of all of the songs Spotify has in its library. While this may only sound like just a one third of the company’s songs catalog, the folks at Anna’s Archive say that it contains the music that serves about 99.6% of the listen requests on the platform.
Is Spotify ok with letting the hackers “preserve” its content and were the personal details of Spotify users affected in this cyber incident?
To say the least, the Swedish company was not particularly happy with the cyber-attack. They called the actions unlawful and immediately shut down all accounts associated with the mirroring of the music tracks from its streaming platform. They patched the loophole used by the hacktivists and hurried to confirm that even though the hackers have managed to get access to the music files by using illicit tactics, the personal information of Spotify users have not been leaked and all sensitive information belonging to its 700 million people userbase is safe and secure.
What could go wrong if all the music files are made public?
Cyber security experts hurried to confirm that even though the actions by the hacktivists might have a noble flavor, the must data files might end up in the wrong hands could be used to train AI systems without artist consent. AI companies are not yet required by governments to clearly reveal the training data they use and it is possible that those stolen files, that represent nearly 100% of music listens on Spotify, could end up being used in ways that harms the hard work and intellectual property of the artists, record labels, and music publishers.
Were Spotify given the chance to prevent the copying of their files?
Spotify were not given any heads up or notice about the mirrored files. The hackers did not ask for a ransom nor approached the company to give it a chance to patch the security hole. Instead, Anna’s Archive published a blog post detailing their findings, released metadata, and shared their intend to release the music files to the world.
The hackers reject copyright/piracy claims as they say they are not storing any of the files but those will be released and kept alive via torrents. The scraping of Spotify’s music catalog took months and was done by user accounts. The catalog contains music posted by the streaming platform between 2007 to 2025.
People might argue if the Spotify incident is a malicious and illegal activity hidden under the umbrella of hacktivism, or a noble action of hacker organization trying to preserve art and fight corporate greed. While we are not here to judge, it is important to highlight how easy it is for hackers, likely located on the other side of the world, to do something that affects people not only here in the USA, but worldwide.
Many of those millions of artists would likely be unhappy if their music is used to train AI that could be used to create content that eventually harms their livelihood and it is a fact that Spotify failed to preserve their content and allowed this massive unauthorized scraping to occur. Having proper antivirus protection and adequate IT security is always needed no matter if you are an individual or a company worth over $120 billion.
