What the report claims was taken
Spotify is investigating what it describes as unauthorized access after a pirate activist group allegedly scraped and released Spotify metadata, according to a post published by Anna’s Archive, an open source search engine known for archiving cultural materials.
The report alleges the scrape includes 256 million rows of track metadata and references 86 million audio files, with distribution planned via peer-to-peer bulk torrents totaling roughly 300 terabytes. As of Sunday, Dec. 21, the report said only metadata had been released, not the music files themselves.
Spotify says metadata was public, audio access was illicit
In a statement obtained by Billboard, Spotify said its investigation found that a third party scraped public metadata and used illicit tactics to circumvent DRM to access some audio files on the platform. Spotify also said it is actively investigating the incident.
On Monday, Dec. 22, Spotify issued an updated statement saying it identified and disabled user accounts it described as nefarious, implemented new safeguards to address what it called anti-copyright attacks, and is actively monitoring for suspicious behavior. The company added it stands with the artist community against piracy and is working with industry partners to protect creators and defend their rights.
Why the claims are drawing attention
The allegation has triggered debate about the real-world impact of a large-scale Spotify scrape. Commentary circulating online suggested that, with enough storage and a personal media server, a user could theoretically assemble a private streaming library, though legal risk and enforcement concerns remain major constraints.
Some observers also compared the alleged scale of the dataset to existing open databases such as MusicBrainz. Spotify’s catalog is widely understood to be larger than the figures cited in the post, but the claims still raise questions about how quickly scraped data could spread if packaged for peer-to-peer distribution.
How platforms may respond going into 2026
Incidents involving data scraping and piracy claims typically push platforms to harden defenses, tighten monitoring, and review how third parties interact with public-facing endpoints and user accounts. Spotify’s emphasis on disabled accounts, new safeguards, and ongoing monitoring signals a security response focused on preventing repeat attempts and limiting exposure.
For the wider music industry, the episode underscores how piracy, DRM circumvention, and bulk distribution methods continue to evolve, especially as preservation narratives and activist framing intersect with copyright enforcement and creator protection.