In a cybersecurity incident that has shocked the music and tech worlds, a pirate activist collective claims to have scraped and published most of Spotify’s music catalog including millions of songs and extensive metadata. The group, known as Anna’s Archive, announced that it assembled this data into a massive torrent archive that could change how streaming content is shared and stored online.
Spotify confirmed to Billboard that it is investigating unauthorized access and that illicit tactics to bypass DRM protections were used to gather both metadata and audio files from the platform.
According to Anna’s Archive, a shadow digital library best known for archiving books and academic materials the scrape included:
- About 256 million rows of track metadata (such as artist and song information).
- Approximately 86 million audio files from Spotify’s catalog.
- An estimated total of 300 terabytes of data an immense volume by any standard.
Anna’s Archive describes the effort not as theft in the traditional sense, but as a “preservation archive” meant to back up and safeguard human culture’s musical output. However, whether this justification holds up legally or ethically is already being debated across tech and entertainment communities.
How the Group Says It Did It
The activists claim they discovered a method to scrape Spotify at scale by exploiting weaknesses in how the platform’s systems serve content. In doing so, they were able to pull metadata that was publicly accessible and also audio files that were shielded by Spotify’s DRM (Digital Rights Management). The latter required additional illicit techniques.
While Spotify’s public APIs offer metadata for developers and partners, bypassing DRM protections to obtain audio files is not part of any authorized use case and Spotify has confirmed that their internal investigation has identified such circumvention tactics.
So far, the pirate collective has released a small portion of the archive mainly the metadata while the bulk of the music files are staged for later distribution across peer-to-peer networks using torrent technologies.
Spotify Responds: Investigation Underway
Spotify’s statement to Billboard acknowledged the incident but did not offer full details about the scale or impact. A spokesperson said that the company had identified unauthorized access by a third party, noting that operators scraped public metadata and used unlawful methods to access some audio files. Discussions about the company’s mitigation strategy and the progress of its internal review are ongoing.
The platform has not disclosed whether any user accounts were compromised or if personal user data was involved, and it has not provided a timeline for when it expects to secure its systems fully.
The Preservation Argument and Its Critics
Anna’s Archive frames the massive data scrape as a cultural preservation effort. On its website, the group said that digital platforms like Spotify should not be the only repositories for music, and that a decentralized archive would protect music for posterity. “Of course Spotify doesn’t have all the music in the world, but it’s a great start,” they wrote.
This rationale resonates with some digital preservation advocates who worry that streaming services can remove content at will, potentially erasing parts of music history if licensing agreements or business models change in the future. However, major legal experts reject the idea that unauthorized scraping and distribution can be justified as “preservation,” arguing that copyright law protects creators’ rights and that such actions pose significant legal risks.
Industry observers also point out another implication: the archive’s size roughly 300TB dwarfs previous open music databases like MusicBrainz, which houses around five million unique tracks. If the pirate archive is accurate in its scope, it represents a near-complete snapshot of Spotify’s catalog up to 2025, including many tracks that may never be widely distributed elsewhere.
Potential Long-Term Impact
Security analysts and tech leaders have already begun discussing the potential impact of the leak:
- DIY Streaming Alternatives: With millions of tracks and metadata openly available, individuals could theoretically host their own streaming service on personal servers using tools like Plex though copyright laws would still apply.
- Copyright Risks: The availability of raw audio files outside of authorized platforms heightens the risk of unlicensed redistribution, sampling, or unauthorized commercial use.
- Industry Legal Battles: Rights holders including artists, labels, and publishers are likely to pursue legal action against those who share copyrighted material, regardless of the preservation argument.
Some experts believe the leak could prompt platforms like Spotify to overhaul how they secure their APIs, tighten DRM protections, and invest in stronger anti-scraping technologies. Others argue that the leak simply exposes ongoing vulnerabilities in how digital media is distributed online.
While the full implications of the alleged Spotify data scrape are still unfolding, the incident raises fundamental questions about digital ownership, security, and the future of music distribution in an internet age. As Spotify investigates and rights holders assess their next moves, the broader tech and creative industries will be watching closely to see how this unprecedented event reshapes the streaming landscape.




