The recent case in which a group of hackers claimed to have copied virtually Spotify's entire music catalog has brought back to the forefront a term that is increasingly common in the tech world: web scraping (or rather, web scraping). Beyond the scandal, understanding this technique is key because it is used for both very useful things and clearly illegal operations.

What is web scraping?

In simple terms, web scraping is a technique for automatically extracting data from websites using programs or bots, instead of doing it manually as a person would with a mouse and keyboard. These bots navigate one or more pages, read the HTML code, and keep only the information of interest: text, prices, images, links, metadata, etc.

The word "scraping" comes from "to scrape": the idea is to "scrape" a website to keep its data and save it in structured formats such as CSV, Excel, JSON, or databases. On a technical level, the process typically follows four basic steps: the script receives a list of URLs, makes HTTP requests to those pages, locates the relevant snippets within the HTML (for example, using CSS selectors or regular expressions), and stores the result in an organized way for later analysis. Behind this, there can be anything from a small Python script that a developer runs on their laptop to entire server farms rotating IPs and proxies to avoid being blocked by the security systems of the sites they are scraping. Therefore, web scraping is not just "a hacker trick": it is a mature and widespread technology, used by both legitimate companies and malicious actors.

How scraping was allegedly used against Spotify

In the case of Spotify, a group of activist hackers —identified in several reports as Anna's Archive— claimed to have copied around 86 million songs and the metadata of 256 million tracks, which would correspond to more than 99% of the listens and the catalog available on the platform.Spotify itself confirmed that it deactivated accounts linked to this group after detecting irregular activity related to automated data extraction, i.e., illegal scraping. According to public reports, the attack did not expose users' personal data, but rather audio files and metadata (titles, artists, albums, ISRC, dates, etc.) that are part of the music catalog the platform has been building for almost two decades. In practice, this opens the door for third parties to create almost complete pirated copies of Spotify's catalog, something that is concerning both copyright and the streaming business model. Although the group presents it as an "archive for the preservation of music," the reality is that the technique used fits perfectly with massive and continuous scraping of Spotify's infrastructure, probably taking advantage of user accounts and automated access to the API or the web player. Platforms typically try to curb this type of abuse with request limits, CAPTCHAs, detection of unusual patterns, and IP blocking, but when many accounts and proxies are combined, it's possible to gradually "scrape" the files, accumulating tens of millions. The striking aspect of this case is its scale: we're talking about some 300 terabytes of files and data, a gigantic amount even by the standards of large companies, demonstrating that a well-orchestrated scraping operation can become a veritable vacuum cleaner of digital catalogs. Spotify insists that the incident does not affect users' accounts or financial information, but acknowledges that it had to strengthen its controls to prevent further automated access attempts. What is scraping used for (and when does it become illegal)? Beyond the context of hackers, web scraping is used daily in sectors such as marketing, competitive analysis, market research, and SEO. Many companies use it to monitor competitor pricing, analyze user reviews, track e-commerce trends, or collect public data to feed AI models and recommendation systems.

It's also very common in the world of SEO and content: SEO and analytics tools use scraping to collect search engine results, snippets, titles, and internal links, allowing for optimized content strategies and the detection of keyword opportunities. Even universities, media outlets, and research organizations use these techniques to study social phenomena using public data from websites, forums, and social networks.

The problem begins when this scraping crosses several red lines:

In several jurisdictions, including those in the United States and Europe,Authorities have made it clear that scraping is not illegal by definition, but it can be depending on what is scraped, how it is done, and what the data is used for. Extracting public data for internal analysis is generally considered acceptable, while massively republishing copyrighted content or building services that directly compete with the original source enters the realm of serious legal risk.

Seen in this light, the Spotify case serves as a double warning: on the one hand, it shows that even large platforms can be vulnerable to large-scale scraping operations; on the other, it makes it clear that this same technique, which drives a large part of the internet's data economy, can become the favorite tool of those who want to copy entire catalogs without paying. For users, artists, and labels, the upcoming conversation will no longer be just about traditional piracy, but about how to control automated data scraping in the age of streaming and AI.