Spotify’s Music Catalog Leaked in Massive Data Breach

spotify music catalog leaked

Spotify music catalog leaked after a large-scale scrape tied to Anna’s Archive spilled massive Spotify metadata—and claims of audio-file access—into torrent-ready packages, prompting Spotify to disable accounts and add new safeguards.​

What leaked and when

Reports published around Dec. 21–22, 2025 describe a bulk “preservation/archive” release that includes Spotify track metadata at very large scale and claims access to a huge portion of Spotify-hosted audio files. The packages described total roughly 300TB and include figures such as 256 million rows of track metadata and about 86 million audio files, with releases staged (metadata first, audio later). Multiple reports also note the scrape largely reflects availability up to around July 2025, meaning newer additions may be absent.​

Timeline snapshot

Date (2025) Reported development Why it matters
Dec. 21 The archive/scrape announcement and early distribution of large Spotify metadata packages begins circulating widely. ​ Marks the point the dataset becomes broadly mirrorable via peer-to-peer sharing. ​
Dec. 21–22 Reporting crystallizes the headline numbers: ~300TB total, ~256M metadata rows, and claims of ~86M audio files. ​ Helps rightsholders and researchers estimate scope and prioritize response. ​
Dec. 22 Spotify’s response emphasizes disabling accounts involved in scraping and adding safeguards. ​ Signals mitigation and active monitoring, while investigation continues. ​

How it happened (and what “scraping” means here)

Spotify’s public-facing catalog data can be collected at scale through “scraping,” a form of automated data collection that can overwhelm controls if a party uses many accounts and techniques to evade detection. In this incident, Spotify stated it “identified and disabled” accounts involved in “unlawful scraping,” and said it implemented new safeguards aimed at these “anti-copyright attacks.” Separate reporting also describes unauthorized tactics used to reach some audio files by circumventing DRM (digital rights management), alongside scraping of public metadata.​

Importantly, the dataset described in reports is framed primarily as catalog/content data (track metadata and claimed audio files), not a dump of Spotify customer payment information. Spotify’s own consumer guidance also stresses that “breaches on other services” can lead to Spotify account logins when people reuse passwords, even when Spotify says its “platform and user records are secure.”​

What Spotify says (and what it doesn’t)

Spotify’s public response, as quoted in reporting and statements, focuses on enforcement and mitigation: disabling suspicious accounts, adding safeguards, and monitoring for suspicious behavior. Spotify also positions the incident as a piracy/rights-protection problem, stating it has “stood with the artist community against piracy” and is working with industry partners to protect creators. At the same time, current public reporting remains fluid about the precise boundary between “public metadata scraped at scale” versus “audio files accessed by bypassing DRM,” and how much of the claimed audio dataset is actually obtainable by the public right now.​

On the user-security side, Spotify’s official help guidance continues to frame many “hacked account” experiences as credential-reuse fallout from breaches elsewhere, listing warning signs like unexpected email changes, playlist changes, and logins you don’t recognize. That distinction matters because a catalog/content leak primarily impacts rightsholders and platform integrity, while account-takeover waves primarily impact listeners and can happen even without a platform-wide database theft.​

What was reportedly exposed vs. typical account-takeover data

Category What this incident is described as Typical user impact
Catalog metadata Large-scale tables (hundreds of millions of track rows) shared in bulk packages. ​ Enables copying, indexing, and potential downstream misuse (e.g., mass mirroring, analytics, or identification of catalog structure). ​
Audio files (claimed) Reports describe tens of millions of audio files and ~300TB total archive size, with phased release plans. ​ Heightened piracy risk and potential licensing/rights disputes if widely distributed. ​
Listener accounts Spotify’s help guidance emphasizes credential reuse from other breaches can still lead to account compromise without Spotify’s databases being “breached.” ​ Users may see unauthorized logins, playlist changes, or subscription changes; Spotify advises monitoring for these signs. ​

Why this matters for artists, labels, and the music business

If large-scale catalog metadata is mirrored broadly, it can lower the friction for piracy ecosystems to organize, identify, and distribute content—even when the underlying audio is hosted elsewhere or protected by DRM. The claims about audio-file access are especially sensitive because they imply a path around DRM protections that, if repeatable, could be reused beyond this single release. The scale described—hundreds of terabytes—also changes the enforcement reality: once enough mirrors exist, takedowns become far less effective than prevention and source-side controls.​

The incident also lands at a moment when music rightsholders are already navigating broader pressures: AI-related copying concerns, escalating anti-piracy enforcement, and platform accountability debates. Even if most listeners never download torrents, a widely mirrored catalog dataset can still create downstream business risks—like facilitating counterfeit uploads, impersonation, or rapid rehosting by piracy services.​

What users should do now (practical steps)

Spotify’s own guidance for suspected account compromise focuses on spotting unauthorized changes (email, playlists, subscription, unexpected playback) and acting quickly if those signs appear. Because credential reuse is a common driver of account takeovers, tightening password hygiene and enabling stronger login protections reduces risk even when a user isn’t directly affected by this catalog leak. If unusual activity is seen, treat it as an account-security issue (not necessarily proof that Spotify’s internal user database was stolen) and follow Spotify’s official support steps.​

For artists/labels/publishers, the near-term priority is monitoring: search for newly appearing mirrors, suspicious re-uploads, and unusually complete “Spotify library” bundles that match the described dataset, then coordinate enforcement through distribution partners. Internally, stakeholders will likely press for clearer technical disclosure on what was accessed (public metadata only vs. audio retrieval path), what controls failed, and what new safeguards were deployed.​

Final thoughts

This Spotify music catalog leak is being characterized as a large-scale scraping-and-distribution event with unusually large scope claims, and Spotify says it has already disabled accounts involved and rolled out additional safeguards. The biggest open questions are practical: how much of the claimed audio archive becomes publicly obtainable, and whether the reported DRM-circumvention method can be repeated or has been closed. For most listeners, the most immediate risk remains account takeover via reused passwords, and Spotify’s official “hacked account” guidance remains the clearest action framework if anything looks wrong.​


Subscribe to Our Newsletter

Related Articles

Top Trending

Best Technical SEO Startup for Travel and Hospitality in United Arab Emirates
12 Best Startup Technical SEO Agencies for Travel and Hospitality in United Arab Emirates
coding apps for kids
7 Best Coding Apps for Kids [From Pre-Readers to Teens]
Content Briefs Guide
Content Briefs: What to Include and Why
On This Day July 6
On This Day July 6: History, Famous Birthdays, Deaths & Global Events
referral tactics SaaS
8 Referral Tactics for SaaS Teams That Want Better Word-of-Mouth Growth

Fintech & Finance

Why more Indians are Taking a Rs 50000 Personal Loan for Emergencies and Short-term Needs
Why more Indians are Taking a Rs 50000 Personal Loan for Emergencies and Short-term Needs
Founder comparing the Best Accounting Tools for Founders on a startup finance dashboard
9 Best Accounting Tools for Founders to Keep Startup Finances Clean
Rise of SpaceX Stock Price
The Rise of SpaceX Stock Price: Understanding the Factors Driving Market Interest 
Real Benefits and Expert Insights on Crypings Com
What is Crypings Com: Real Benefits and Expert Insights
5Th Digital Corp Document Errors Banking Onboarding
7 Document Errors That Delay Banking Onboarding for New Businesses: 5th Digital Corp Breaks Them Down

Sustainability & Living

Finnish MaaS Platforms
5 Finnish MaaS Platforms Redefining Global Public Transit Integration
Recyclable symbol meaningless
The Recyclable Symbol Has Lost All Meaning: The Chasing Arrows Lie
plastic-free bathroom
Plastic-Free Bathroom Routine: A Practical Way to Cut Waste Without Making Your Life Harder
transportation choices that lower emissions
7 Transportation Choices That Lower Emissions Without Making Daily Life Impossible
Sustainable Home Setup Complete Guide
Sustainable Home Setup Complete Guide: Build a Greener, Healthier, Lower-Waste Home

GAMING

why AAA games look the same
Why AAA Games Look the Same Even When They Cost More Than Ever
Foullrop85j.08.47h Gaming
Foullrop85j.08.47h Gaming: What It Really Is and Why You Should Be Skeptical
Live Service Killed Creativity
Live Service Killed Creativity, and the Industry Knows It
AI-Powered Playtesting
Top 10 Gaming SMEs and Startups Specializing in AI-Powered Playtesting in the United States
Best Gaming Communities
25 Gaming Communities and Platforms You Must Join Today

Business & Marketing

best accelerator programs
8 Best Accelerator Programs: A Practical Founder’s Guide to Funding and Strategic Fit
best startup blogs
The 10 Best Startup Blogs: A Practical Guide for New Founders
Best Online Founder Communities for Startups
13 Best Online Founder Communities Worth Joining in 2026
best podcasts startup founders
7 Best Podcasts Startup Founders Need for Better Ideas and Sharper Decisions
Best Mental Health Resources
9 Best Mental Health Resources for Founders Who Cannot Afford to Burn Out Quietly

Technology & AI

referral tactics SaaS
8 Referral Tactics for SaaS Teams That Want Better Word-of-Mouth Growth
AI Voiceover Platforms
7 Best AI Voiceover Platforms Worth Using: The Ultimate Guide
Cold Outreach Tactics SaaS
13 Cold Outreach Tactics That Work for SaaS Growth
AI Power in clean energy
Micro-Reactors and Orbital Compute: How The Race For AI Power Is Reshaping Clean Energy
Internal Linking Fundamentals
Internal Linking Fundamentals for Beginners

Fitness & Wellness

air quality wellness devices
13 Air Quality and Wellness Devices Worth Considering for a Healthier Home
habits reduce stress
7 Habits That Reduce Stress Long Term and Feel Calmer Daily
habits better focus
11 Habits for Better Focus That Actually Work
meditation aids tools
11 Meditation Aids and Tools That Support Daily Calm
sleep products that help
9 Sleep Products That Actually Help Improve Your Sleep