A significant data scraping incident targeting Spotify has been revealed, with a pirate activist group releasing metadata from the streaming platform. According to a blog post by the open-source search engine Anna’s Archive, the scrape allegedly includes 256 million rows of track metadata and 86 million audio files. These files are intended for distribution on P2P networks through bulk torrents, estimated to total approximately 300 terabytes. As of December 21, the report indicated that only metadata, not the actual music files, had been released.

Spotify confirmed the incident, stating in a statement to Billboard that an investigation into unauthorized access identified a third party that “scraped public metadata and used illicit tactics to circumvent DRM to access some of the platform’s audio files.” The company initially noted they were “actively investigating the incident.”

Reactions to the report highlight the potential implications. Yoav Zimmerman, CEO/co-founder of Third Chair, a startup developing AI-powered legal tools for media companies, theorized that this incident could allow individuals to create their own free, personal versions of Spotify with sufficient storage and a personal media streaming server. He suggested that the primary barriers would be copyright law and the fear of enforcement. While Spotify’s total audio files exceed the number mentioned by Anna’s Archive, Zimmerman’s analysis points out that the scale of this scrape could potentially surpass MusicBrainz, which currently stands as the largest previously available open music archive with around five million unique tracks.

Anna’s Archive, an organization typically focused on books and papers, framed the project as part of its mission to “preserv[e] humanity’s knowledge and culture.” They described the Spotify scrape as an effort to “build a music archive primarily aimed at preservation,” acknowledging that while Spotify doesn’t hold all the music in the world, it serves as “a great start.”

In an update on December 22, Spotify released an additional statement: “Spotify has identified and disabled the nefarious user accounts that engaged in unlawful scraping. We’ve implemented new safeguards for these types of anti-copyright attacks and are actively monitoring for suspicious behavior. Since day one, we have stood with the artist community against piracy, and we are actively working with our industry partners to protect creators and defend their rights.” This indicates Spotify has taken action to mitigate the immediate threat and enhance its security protocols against such anti-copyright activities.