Bands with names like Bergenulo Five and Bratte Night, among others, recently landed in some users’ Spotify playlists without the users actually adding them. And although the bands have little to no presence outside of Spotify, they’ve racked up tens of thousands of listens and potentially scored some cash off those playbacks.

The BBC initially reported on the issue and found the seemingly fake bands on Spotify (SPOT). The bands all had similar characteristics: generic cover art, songs that listed only a couple of minutes with little to no lyrics, and simple song titles that might or might not have had anything to do with the actual music. The artists also have no social media presence or websites and only appear to be living on Spotify.

In its investigation, the BBC found that Bergenulo Five had tallied nearly 60,000 track streams. Others had fewer, but were still able to get people to listen to their music.

“We take the artificial manipulation of streaming activity on our service extremely seriously,” a Spotify spokesperson told Fortune in a statement. “Spotify has multiple detection measures in place monitoring consumption on the service to detect, investigate and deal with such activity. We are continuing to invest heavily in refining those processes and improving methods of detection and removal, and reducing the impact of this unacceptable activity on legitimate creators, rights holders and our users.”

The spokesperson added that the bands cited in the BBC report “were removed because we detected abnormal streaming activity in relation to their content.”

Still, the question remains over how the bands were able to find their way to playlists. Spotify wasn’t hacked by the bands and didn’t suffer a data breach.

Earlier this month, however, security expert Troy Hunt published a blog post on “account takeovers” in Spotify. The post detailed the ways in which hackers could access online accounts, including those from Spotify, by trying weak passwords. It’s possible, though unconfirmed, that the hackers logged in to affected user accounts with simple and weak passwords, like “password” or “1234,” and added the bands’ content to playlists without user input.