Every Avatar's Full 'Recently Played' Music History Was Accidentally Published as a Public Profile Tab for 18 Minutes This Morning — The Window Closed at 9:03 AM — Archive Accounts Have Already Saved Everything

At 8:45 AM EST, a UI deployment pushed to MetaCity's profile rendering system added a new tab to every user's public profile page labeled 'Recently Played.' The tab was functional and fully populated from each user's private listening history — every track, timestamp, play count, and skip event logged by the platform's music recommendation engine over the preceding 90 days. For 18 minutes, this data was publicly visible to anyone who visited any profile. MetaCity's engineering team detected the leak at 9:02 AM and removed the tab at 9:03 AM. In those 18 minutes, at least 14 archive and data-capture accounts ran automated scrapers across the top 10,000 most-visited profiles on the platform. The scraped data has already been published in at least three community threads, organized by account name.

At 8:45 AM EST, MetaCity pushed a routine UI update to its profile rendering system. The update was part of a phased feature rollout for a new profile section called 'Recently Played' — a transparency feature designed to let users voluntarily share their in-platform music listening history with their followers. The feature had been in development for three months. Its design included an opt-in toggle, a privacy selector, and a default setting of 'off.' In the update that deployed at 8:45 AM, the 'Recently Played' tab appeared on every user's public profile page, fully populated, with the default setting misconfigured to 'public.' The opt-in toggle was not visible. The privacy selector was not visible. The data behind the tab — every track, every timestamp, every play count, every skip event from the preceding 90 days — was completely accessible to anyone who visited any profile. For 18 minutes, MetaCity's listening history for its entire active user base was publicly readable.

The 18-minute window was enough. Archive accounts that monitor MetaCity's platform for data exposure events have described their response protocols in previous community discussions: automated scrapers trigger within seconds of a detectable data anomaly and run until the window closes or they are blocked. @ArchiveTrace — the same account that previously exposed @PrismVale's rehearsal archive — confirmed in a post at 9:15 AM that its scraper ran for the full 18-minute window and captured listening history data for the top 10,000 most-visited profiles on the platform. Twelve other archive and data-capture accounts confirmed similar operations in replies to that post. Two additional accounts have not confirmed but have been identified in the metadata of the published threads. The number of profiles actually captured across all 14-plus operations is unknown, but estimates from community researchers range from 30,000 to 100,000.

Eighteen Minutes of Everything You Listened To

The listening history data is, in many cases, more intimate than users expect. MetaCity's music recommendation engine logs not just what users listen to but how they listen — which tracks are played through in full, which are skipped after 10 seconds, which are replayed repeatedly, at what hours listening sessions occur, and how listening patterns shift during events, announcements, or social incidents on the platform. For high-profile creators whose public personas are carefully managed, their private listening histories can reveal information they have not chosen to share: emotional states, private fixations, the gap between their public aesthetic and their private taste. Several of the most-discussed entries in the published threads involve creators whose public brand is built on a specific musical identity, and whose private listening histories are substantially different from that identity. Three creators have already posted responses. None of the three have denied the accuracy of the data.

MetaCity's engineering team removed the tab at 9:03 AM and confirmed the removal in a brief statement that described the incident as 'an unintended configuration in the staged rollout of a privacy-first feature.' The statement noted that the feature's intended design included explicit opt-in controls and that the 8:45 AM deployment 'incorrectly applied the feature's data access layer before the privacy controls were implemented in the frontend.' A full incident report was promised by end of day. The statement did not mention the scrapers. It did not confirm whether affected users would be notified. It did not confirm whether the scraped and published data would be subject to a takedown request. The three community threads remain publicly accessible. @ArchiveTrace, asked in replies whether it would remove the data, posted: 'The data was public. We archived what was public. That's what we do.'