The mystery tracks being 'forced' on Spotify users

Mysterious musicians have cropped up on Spotify, racking up thousands of listens and (perhaps) hundreds of pounds. It's a phenomenon that experts say could indicate a security flaw.

But while Spotify denies that accounts have been hacked, the music streaming site has not explained in detail how the playlists of some users indicate they've "listened to" musicians that nobody's ever heard of.

They have names like Bergenulo Five, Bratte Night, DJ Bruej and Doublin Night. Apart from being musically unremarkable, they generally have a few things in common: short songs with few or no lyrics, illustrated with generic cover art, and short, non-descriptive song titles.

Interestingly, the bands also have little to no presence on the rest of the internet. At a time when social media plays a crucial role in connecting musicians and audiences, these artists have no fan pages, no concert listings, social media accounts or even photos of the actual musicians.

But somehow these mystery artists and a host of similar acts have snuck into people's Spotify listening playlists, in some cases racking up thousands of listens and prompting a number of users to speculate that their accounts had been hacked.

Many listeners (including this reporter) never actively searched for or played tracks by bands like Bergenulo Five, but found that their music ended up being logged in their listening history anyway.

The BBC asked Spotify for contact details for the artists in question. It declined, and all of our attempts to contact the bands were met with silence. But within a few days of our query, most of the mystery artists had disappeared from the music streaming site.

Do you know anything about them? Email BBC Trending, external.

Bergenulo Five is a typical - and fairly popular - artist in what might be called the "mysterycore" genre. On Spotify they initially had two albums posted - "Sunshine Here" and "Hit It Now".

The cover art for each album was simple: the album title in black text over a bright colour. And each album was packed with more than 40 short songs each, most of them just a minute or two long, with no verses or choruses, and mostly one-word titles: Awake, Winter, Coming. Bergenulo Five songs had in total nearly 60,000 streams on Spotify by users of music tracking website Last FM.

Reddit, Twitter and Last FM's fan pages are rife with negative comments from listeners who have noticed that according to their account history, they've been "playing" Bergenulo Five songs.

"What is this spam?" wrote one.

"So annoying," added another.

On Reddit, Callum Dixon wrote: "The same Bergenulo Five keeps being played on my account and I've tried everything - changed my password, logged out of everywhere. I can't stop it!"

Dixon also happens to be a cybersecurity graduate who wrote a thesis on Spotify - and speaking to the BBC, he suggested that something called access tokens had something to do with the sudden spread of mysterycore tracks.

Access tokens are permissions granted when you use one website or social network to log into another site.

For instance, users can log into Spotify using their Facebook username and password. An electronic access token is granted which links the two accounts, and the method is generally secure.

"This worked brilliantly well, up until the point where the access tokens were breached," says Tim Mackey of security software company Black Duck.

That's a reference to a security problem announced by Facebook in September 2018. Initially the company said up to 50 million accounts were affected, and people who were potentially caught up in the breach were prompted to re-enter their login details.

Facebook said it cancelled all access tokens that might have been violated by the breach, thus keeping accounts secure.

But Mackey says that identifying exactly what was taken in the data breach is extremely complicated, and when it comes to cancelling the tokens, "you may end up with a certain small percentage that were missed".

Facebook insists that all affected tokens were cancelled, and said that they have no evidence that the attackers - who have not been identified - used the tokens to access Spotify or any other sites or apps before September.

In addition, other security experts have pointed out issues that Spotify users have had with reusing passwords on different sites, external.

Mysterycore artists began cropping up on Spotify in early October 2018, shortly after the access token attack was made public. However, many Spotify users only noticed that their accounts had been logging tracks by the mystery bands later, when the streaming site promoted a widget that allowed users to post a list of their most-listened-to tracks of the year. Some people noticed that bands that they had never heard of, much less listened to, somehow made their personalised list.

So how does a band with few fans and no digital footprint get their music on to Spotify in the first place?

It would have been fairly difficult until recently. Spotify was launched in 2008, and for most of the site's history, record labels and companies were responsible for getting songs uploaded. But in September 2018, the company relaxed its rules, allowing independent artists to upload tracks to the service directly.

And popular artists are eligible for royalties. Because there are several variables, it's difficult to calculate exactly how much one listen is worth, but one expert, Mark Mulligan of Midia Research, told BBC Trending radio that Bergenulo Five could have made about $500 to $600 (about £380 to £460) from 60,000 streams.

Spotify would not say whether it actually paid any money to the mystery artists, and did not give any information about who "forced" my account to play music from the Bergenulo Five and others.

"We take the artificial manipulation of streaming activity on our service extremely seriously," the company said in a statement. "Spotify has multiple detection measures in place monitoring consumption on the service to detect, investigate and deal with such activity.

"These artists were removed because we detected abnormal streaming activity in relation to their content."

Spotify denied that the mystery artists were linked to the Facebook access tokens breach, and underlined the statement from Facebook which said that no third-party accounts had been compromised.

But a spokesperson did not provide any further detail on who might have been behind the tracks or how they accessed user playlists. And so mysterycore artists like Bergenulo Five may remain - well, a mystery.

Do you know more? Get in touch and let us know, external.

More from Trending: Blue Whale: The truth behind an online 'suicide challenge'

The "Blue Whale challenge" was reported to be an online "suicide game" aimed at teenagers which set 50 tasks over 50 days. The challenge was alleged to be linked to numerous deaths around the world. But little about the "game" was quite as it seemed. READ NOW

You can follow BBC Trending on Twitter @BBCtrending, external, and find us on Facebook, external. All our stories are at bbc.com/trending.