It may be shocking, but my first hacking experience happened only recently. The perpetrator wasn’t after my bank information or my Facebook account or any other sensitive information. All he wanted was to play Rae Sremmurd.
A Spotify breach is particularly low stakes in the world of hacking, but it led me to one of the most bizarre online experiences I’ve ever had. My day started like any other: Before a jog, I wanted to throw on some Pearl Jam or early 2000s punk. I have my playlists set up and curated; I am a creature of habit when it comes to music, so there’s never much adventure within Spotify for me. But I noticed something odd that morning when I opened the app: a bunch of “recently” played artists, few I’d ever heard of. A mistake, I figured.
All week, though, I’d been getting weird alerts from Spotify saying that my account was streaming from a different device. I’d assumed that was some technical mixup — none of the devices were named and none interrupted my song more than once. But that morning as I started to dig deeper, I found one user firmly entrenched in my account: A gentleman named “Mario.” He was the one playing the music; the moment I discovered the breach, he was streaming “Black Beatles.”
My account had been hijacked.
Let’s be clear: There are many important accounts that can be hacked, but as I found out, even having less serious accounts breached can be annoying. Because an account can play only one song at a time, if you play a song, the intruder can just come right back by playing a song on the other end. The result was about 15–20 instances in which I would play “Black Beatles” for five seconds, and he would play “Black Beatles” for five seconds.
In addition to the back-and-forth music war, I discovered my playlists had been rearranged and he’d saved multiple songs on my account (ruining my running playlist, Mario!). But it was at this moment that I realized that going back and forth with him on “Black Beatles” was not the solution. This was going to take more.
Like any moderately capable internet user, I logged into Spotify from my laptop, signed out of my account, and changed my password. But I logged back in and iPhone de Mario was still there, playing music. At this point, attack became my only option: I would fight him with music. Because I could control what he would listen to, I could make him listen to anything. No matter how awful. The song choices were meant to be obnoxious and as far from iPhone de Mario’s preferred “Black Beatles” as possible:
Mario was undeterred:
OK, maybe that song was too good, so:
OK, time to hit “related artists” and find some real bad shit:
So far this had been a disaster; Mario seemed to be fine with Bon Jovi. I needed to bring in the big guns of crap music. I turned to browse and found a playlist called “New Country.” I introduced Mario to Florida Georgia Line:
Mario, take this:
This is like Tom Brady coming back from down 28–3:
Uh. New strategy: Music I like that he won’t. I decided to smoke him out by playing loud and aggressive good music:
It worked! Mario logged out!
My playlist fight with Mario is not an isolated incident. Many Twitter users have reported the same thing happening.
I reached out to Spotify to ask what exactly happened, how common this is, and also … if the company could help me find Mario so we could discuss our friendly music war. I received no such help, but a representative did confirm my account was taken over:
“We’ve located your account and can confirm that an unauthorized party had taken it over,” I was told via email. “However, please be assured your full payment information has never been displayed and that we’ve always applied rigorous security practices to protect your information.” Spotify also advised me to make sure I log out of my account if I use it on public computers (duh) and that it could restore any of my playlists Mario had tampered with (good, because he had).
By the way, “Black Beatles” is a really good song. It’s on my playlist now. Thank you, Mario. Wherever you are, I hope you’re listening to Florida Georgia Line.