Spotify music catalog leaked after a large-scale scrape tied to Anna’s Archive spilled massive Spotify metadata—and claims of audio-file access—into torrent-ready packages, prompting Spotify to disable accounts and add new safeguards.
What leaked and when
Reports published around Dec. 21–22, 2025 describe a bulk “preservation/archive” release that includes Spotify track metadata at very large scale and claims access to a huge portion of Spotify-hosted audio files. The packages described total roughly 300TB and include figures such as 256 million rows of track metadata and about 86 million audio files, with releases staged (metadata first, audio later). Multiple reports also note the scrape largely reflects availability up to around July 2025, meaning newer additions may be absent.
Timeline snapshot
| Date (2025) | Reported development | Why it matters |
| Dec. 21 | The archive/scrape announcement and early distribution of large Spotify metadata packages begins circulating widely. | Marks the point the dataset becomes broadly mirrorable via peer-to-peer sharing. |
| Dec. 21–22 | Reporting crystallizes the headline numbers: ~300TB total, ~256M metadata rows, and claims of ~86M audio files. | Helps rightsholders and researchers estimate scope and prioritize response. |
| Dec. 22 | Spotify’s response emphasizes disabling accounts involved in scraping and adding safeguards. | Signals mitigation and active monitoring, while investigation continues. |
How it happened (and what “scraping” means here)
Spotify’s public-facing catalog data can be collected at scale through “scraping,” a form of automated data collection that can overwhelm controls if a party uses many accounts and techniques to evade detection. In this incident, Spotify stated it “identified and disabled” accounts involved in “unlawful scraping,” and said it implemented new safeguards aimed at these “anti-copyright attacks.” Separate reporting also describes unauthorized tactics used to reach some audio files by circumventing DRM (digital rights management), alongside scraping of public metadata.
Importantly, the dataset described in reports is framed primarily as catalog/content data (track metadata and claimed audio files), not a dump of Spotify customer payment information. Spotify’s own consumer guidance also stresses that “breaches on other services” can lead to Spotify account logins when people reuse passwords, even when Spotify says its “platform and user records are secure.”
What Spotify says (and what it doesn’t)
Spotify’s public response, as quoted in reporting and statements, focuses on enforcement and mitigation: disabling suspicious accounts, adding safeguards, and monitoring for suspicious behavior. Spotify also positions the incident as a piracy/rights-protection problem, stating it has “stood with the artist community against piracy” and is working with industry partners to protect creators. At the same time, current public reporting remains fluid about the precise boundary between “public metadata scraped at scale” versus “audio files accessed by bypassing DRM,” and how much of the claimed audio dataset is actually obtainable by the public right now.
On the user-security side, Spotify’s official help guidance continues to frame many “hacked account” experiences as credential-reuse fallout from breaches elsewhere, listing warning signs like unexpected email changes, playlist changes, and logins you don’t recognize. That distinction matters because a catalog/content leak primarily impacts rightsholders and platform integrity, while account-takeover waves primarily impact listeners and can happen even without a platform-wide database theft.
What was reportedly exposed vs. typical account-takeover data
| Category | What this incident is described as | Typical user impact |
| Catalog metadata | Large-scale tables (hundreds of millions of track rows) shared in bulk packages. | Enables copying, indexing, and potential downstream misuse (e.g., mass mirroring, analytics, or identification of catalog structure). |
| Audio files (claimed) | Reports describe tens of millions of audio files and ~300TB total archive size, with phased release plans. | Heightened piracy risk and potential licensing/rights disputes if widely distributed. |
| Listener accounts | Spotify’s help guidance emphasizes credential reuse from other breaches can still lead to account compromise without Spotify’s databases being “breached.” | Users may see unauthorized logins, playlist changes, or subscription changes; Spotify advises monitoring for these signs. |
Why this matters for artists, labels, and the music business
If large-scale catalog metadata is mirrored broadly, it can lower the friction for piracy ecosystems to organize, identify, and distribute content—even when the underlying audio is hosted elsewhere or protected by DRM. The claims about audio-file access are especially sensitive because they imply a path around DRM protections that, if repeatable, could be reused beyond this single release. The scale described—hundreds of terabytes—also changes the enforcement reality: once enough mirrors exist, takedowns become far less effective than prevention and source-side controls.
The incident also lands at a moment when music rightsholders are already navigating broader pressures: AI-related copying concerns, escalating anti-piracy enforcement, and platform accountability debates. Even if most listeners never download torrents, a widely mirrored catalog dataset can still create downstream business risks—like facilitating counterfeit uploads, impersonation, or rapid rehosting by piracy services.
What users should do now (practical steps)
Spotify’s own guidance for suspected account compromise focuses on spotting unauthorized changes (email, playlists, subscription, unexpected playback) and acting quickly if those signs appear. Because credential reuse is a common driver of account takeovers, tightening password hygiene and enabling stronger login protections reduces risk even when a user isn’t directly affected by this catalog leak. If unusual activity is seen, treat it as an account-security issue (not necessarily proof that Spotify’s internal user database was stolen) and follow Spotify’s official support steps.
For artists/labels/publishers, the near-term priority is monitoring: search for newly appearing mirrors, suspicious re-uploads, and unusually complete “Spotify library” bundles that match the described dataset, then coordinate enforcement through distribution partners. Internally, stakeholders will likely press for clearer technical disclosure on what was accessed (public metadata only vs. audio retrieval path), what controls failed, and what new safeguards were deployed.
Final thoughts
This Spotify music catalog leak is being characterized as a large-scale scraping-and-distribution event with unusually large scope claims, and Spotify says it has already disabled accounts involved and rolled out additional safeguards. The biggest open questions are practical: how much of the claimed audio archive becomes publicly obtainable, and whether the reported DRM-circumvention method can be repeated or has been closed. For most listeners, the most immediate risk remains account takeover via reused passwords, and Spotify’s official “hacked account” guidance remains the clearest action framework if anything looks wrong.
