Image: 360b/Shutterstock

Hackers Are Sabotaging My Spotify Playlists With Awful Ambient Music

Other users have reported the same issue, with their account taken over to rack up plays for repetitive nonsense.

|
Aug 25 2015, 11:20am

Image: 360b/Shutterstock

When one of your internet accounts gets hacked, you assume your details might be used for nefarious purposes. But if your premium Spotify account has been compromised, it may be exploited in a way you hadn't imagined. You may find your carefully curated playlists interrupted by Zumba playlists at all hours.

Spotify Connect—which is only available to premium subscribers—is a handy little function that was launched in 2014 and allows users to link their account to secondary devices. It's a virtual hand-off, which means you can stream music directly from Spotify to any enabled gadget and use your phone or tablet as a remote control. Just click the little speaker in the bottom right-hand corner of the desktop app and it states, "Start Spotify on another device and it will magically appear here."

But it seems that you might not be the only one with this "magic" access.

I first noticed an issue with my own Spotify account last week, when the sound started to cut out at random intervals. Even more unusual was the random music (generally some insipid new-age ambience) that would interrupt what I was playing. I initially took it as a bug, so I logged into my Spotify account on the web, clicked "disconnect everywhere," and thought nothing more of it.

I woke up and my account had played through several "ambient" albums and a Zumba workout playlist.

The next morning, I woke up, looked back through my recent activity, and discovered my account had played through several "ambient" albums and a Zumba workout playlist during the night. I was about to put this down to some sort of sleep-deprived temporary madness, but after a strong coffee I logged back into my account, fired up a playlist, and the random silences began again.

After exploring various options, I took a look at the Connect feature and noticed my account was being played in another location, controlled by something called "Spotiamb 0.2.1." A few emails later, and Spotify support confirmed my account had been hacked a few weeks earlier by "brute force" (i.e. multiple attempts at guessing my password). They reset my login and payment details, and left me to go about my day.

But it seems I wasn't alone. The problem was flagged up on the Spotify community boards at the beginning of July, when user "diraiba" experienced similar issues: "I use Spotify a lot in the car and noticed lately that randomly it switches to a song I have never had in any playlist or even listened to." Less than a week later, user "KayinAngel" reported a similar issue: "Occasionally, when listening to an album or playlist or anything, at some random point during the song, Spotify suddenly starts playing some weird medieval/folk/ambient track I've never even heard of before."

As more and more premium subscribers flag this up, a clearer picture emerges: someone with access to your login details can hijack a Spotify account using "Spotiamb 0.2.1."

Why would a hacker want to exploit my account? Is it because of my brilliant playlists?

Spotiamb itself isn't the problem. It's a perfectly legal lightweight mod of the classic Windows music player Winamp, which was designed in tribute by one of the Spotify team and allows users to login to their account and play music without dealing with the company's often cumbersome interface. But it seems hackers are using it as bypass. They can't access your account while you're using it through the Spotify interface, but they can connect another device with Spotiamb and interrupt your service.

But why would a hacker want to use it to exploit my account? Is it because of my brilliant playlists?

If we trace our steps back to the albums that are being played, they all follow a similar pattern. They are all dated May 26th 2015, all released by "artists" who only have one album to their name, and all made up of music that only varies slightly in length/content from track to track.

Here's an example from "Tony Oldem"—the top track of which has racked up over 9K plays:

And here's another from "Dungeonsd," which appears to be the sound of Greensleeves played over a busy medieval tavern. The top track on this album has racked up in excess of 10k plays:

Someone is gaming the system: using flaws in the Connect function to generate continuous track plays and thus, presumably, payouts from Spotify. The upload and continuous repetition of LPs is something Spotify apparently watches out for, but it seems to be harder to detect if those plays come from multiple user accounts and use Spotiamb as a conduit.

How concerned you should be about the security of your details, and whether they are being used for this extortion—albeit at a low level— are questions we can't yet answer. When we reached out to Spotify for comment, they seemed unaware of the issue but said they have now flagged it.

Of course, if you are experiencing this issue it's safe to say you should disconnect all devices from Connect and change your password. Alternatively, sit back and enjoy the smooth sounds of "Dungeonsd," comforted in the knowledge that someone, somewhere is waiting for a cheque.