Last month, an anonymous prankster spun up a website revealing the purported Spotify listening habits of about 50 people, including politicians, tech executives and journalists. The person, who called himself “Tim,” compiled the list from Spotify profiles that the subjects seemed to be unaware were public. Tim gave the site a winking title: The Panama Playlists.

Tim clearly had a sense of humor. The title is a riff on a far more consequential document dump detailing offshore banking activity some years ago. Tim also seemed inspired by a touch of sadism. To his victims, the Panama Playlists popped up unexpectedly, like a Spotify Wrapped compilation from hell.

A playlist purportedly belonging to Sam Altman, the chief executive of OpenAI, revealed that he had to use the Shazam app to identify Missy Elliott’s “Get Ur Freak On” — a mainstay of any millennial hip-hop collection. (That playlist has since been taken down.) An account apparently belonging to Marc Benioff, the founder of Salesforce, maintained a party playlist featuring an on-the-nose song called “Billionaire.” Jacob Helberg, founder of the Hill and Valley Forum, a political group, listens to just as much Charli XCX and Chappell Roan as the rest of us.

The playlist also included the music habits of two New York Times reporters, Mike Isaac and Kashmir Hill. That is, the authors of this article.

Tim had figured out that Mike obsessively listened to “Huggin and Kissin,” a song by the band Big Black Delta — 139 times over the past year. And because of Tim’s digging, the internet now knows that Kashmir’s “writing music” includes Mogwai and Aphex Twin. (She doesn’t mind sharing her focus hack, and has left the list public for other writers to try. But she wasn’t happy to discover that playlists titled with her daughters’ names were public; those are now private.)

Fortunately, our musical tastes were superior to most. Because of the Panama Playlists, Vice President JD Vance may forever be linked to the Backstreet Boys’ “I Want It That Way.” Mr. Vance did not return a request for comment (and who can blame him).

All things considered, it was a little funny to see such a clever use of data. It was also somewhat unsettling.

Well into the social media age, we have grown accustomed to curating ourselves online. Picking top-four movies on Letterboxd is an intentional way to showcase our taste. We decide which vacation photos are most flattering or funny to post to our permanent grid on Instagram. Those books on a shelf in the Zoom background are chosen with care.

But these Spotify playlists were different, created for enjoyment, not for display. It was like seeing someone’s Netflix watch history — a slight invasion and a chance to judge what someone actually consumes rather than what the person claims to like.

This exposure is by design. Spotify executives believe public playlists are a social feature, encouraging users to share and discover new music. That, in turn, can keep people happy, engaged and regularly coming back to the platform. It’s true: Playlist sharing is the modern equivalent of creating a mix tape or burning songs on a compact disc for your friends.

Because of Spotify’s privacy settings, any new playlist is set to public by default. To hide past playlists from others, users have to go to each one and flick the switch to private. Even to us, two reporters who cover technology and privacy for a living, this was a surprise. Anyone on the internet could see our playlists, and in Mike’s case every song he listened to in real time. (Mike had a setting called Listening Activity turned on; Kashmir had it flipped off and therefore was not outed as a Swiftie.)

Tim, whose real name is Riley Walz, eventually came clean to us. A 23-year-old engineer, he built a series of bots that automatically “scraped” — or continuously collected — Spotify listening data of dozens of political, media and entertainment figures. Finding their accounts was easy: He started by typing their names into a search bar on Spotify. Many users, especially those with older accounts, may not realize that their real name or email handle may be publicly attached to their Spotify accounts.

“The Panama Playlists creator is in violation of our User Guidelines, which make clear that you may not scrape information like listening activity from the service via manual or automated means,” a Spotify spokeswoman said by email. “Our legal team has been in contact with the site creator.”

Mr. Walz confirmed that he had received a cease-and-desist email, but said he found it to be without “merit.”

Mr. Walz picked Kashmir because of her reporting on privacy. He homed in on Mike because of how much of Mike’s listening data was public, and for Mike’s crippling social media addiction, which Mr. Walz suspected might be helpful to promoting his site.

(He was right. Mike posted about the Panama Playlists on X after Mr. Walz sent him a link via Signal, the secure messaging app. It went mildly viral. The positive reception made Mr. Walz feel he should claim credit for it.)

Mr. Walz did some digging to connect the Spotify accounts to the public figures. For instance, he found an account called “pambondi” that had playlists titled with the names of close relatives of the attorney general of the United States.

Not all of Mr. Walz’s guesses panned out.

A spokesman for Gov. Ron DeSantis of Florida denied that a “hodgepodge” music mix attributed to Mr. DeSantis was legitimate. He said the governor approved of its inclusion of Johnny Cash and Frank Sinatra, but said the absence of country artists and ’80s metal bands “is proof that this is not, in fact, his playlist.”

And we should note that not all of the playlists in the leak have been confirmed as real. A dozen or so people in tech and media told us that their listings were authentic, while most of the politicians, including Ms. Bondi, and some of the billionaires, including Mr. Altman and Mr. Benioff, did not get back to us.

The release of the Panama Playlists is not Mr. Walz’s first time playing with data in provocative ways. He recently used public Google reviews to create LooksMapping, a guide that rates restaurants on the “hotness” of the patrons. An older project he called IMG_0001 highlighted a now deprecated feature of iPhones that allowed users to instantly share unedited videos to YouTube. His goal with many of his projects has been to show just how much data can be found on the open internet.

“Thirty years ago, I couldn’t walk into an office somewhere and ask them to hand over all of their records,” he said in an interview. “Now, all I need to do is spin up a bot.”

A Spotify spokeswoman said playlists had always been public by default. In the past, the company trumpeted initiatives that encouraged people to share their listening habits. That included an ill-fated partnership in which songs that users played on Spotify were automatically shared on Facebook, where their friends could see what they were listening to in real time. (As you might imagine, many people did not like this. That 2011 integration ended in 2015, the Spotify spokeswoman said.)

Spotify is far from the only company making these sorts of design decisions. On Venmo, for instance, many people did not realize their transaction history was public until BuzzFeed News wrote about the feature. Our colleague Jessica Testa, who covers media, told us that Substack follows are also public by default, revealing the newsletters that people subscribe to or pay for. Never mind that librarians have long fought to protect the privacy of their patrons, because what we read can be a barometer for our interests and sympathies.

“Intellectual privacy means you should have the right to read anything or listen to anything, no matter how embarrassing it might be if people learn about it, without interference or surveillance,” Neil Richards, a law professor at Washington University, said in an interview.

Some of the subjects on Mr. Walz’s list were less perturbed by their inclusion than we were. Palmer Luckey, creator of the Oculus virtual reality glasses and founder of Anduril, a military tech company, said in an email that he had created his Spotify account a decade ago to share music with his friends, including one playlist devoted to Pokémon. He said he had forgotten about it. These days, he added, he prefers listening to tunes on “dedicated music devices,” including cassettes, CDs and an iPod.

“As for Pokémon, I haven’t listened to that particular playlist in a long time because I have far superior comprehensive Pokémon megamix tapes I have put together myself,” he said.

Brian Armstrong, the chief executive of Coinbase, also confirmed that he had a playlist that was seven hours long, composed entirely of one song: “Long Way Home” by Gareth Emery.

“It helps me do deep focused work, don’t ask me why,” he wrote on X.

Mr. Helberg, the Hill and Valley founder, said he was unembarrassed by his playlist (though he noted it was an older one, not in current rotation).

“The stereotype is that it’s cool to listen to indie music that you can only hear being played in the background of a restaurant in Tulum,” he said in an interview. “In the real world, people listen to popular music. There’s a reason the Top 40 are in the Top 40.”

Some people — particularly young ones — may call our pearl clutching a function of our age. Entire generations are growing up with an online existence baked into their everyday lives. They can’t fathom, for instance, a time when read receipts — the setting that lets friends know you’ve seen their text messages — didn’t exist. And they have opted in to continuously share their location using Snap Maps, or Apple’s Find My, mixing the idea of serendipitous meet-ups with the advent of the GPS location tracker in everyone’s pocket.

Even so, when Instagram recently rolled out its version of a location-sharing map product, the Internet freaked out. Senators went as far as calling for the company to abandon the feature.

Unlike Spotify, Instagram’s feature was not flicked on by default. It caused a stir regardless, requiring Adam Mosseri, Instagram’s top executive, to explain the company’s decision.

“We can, and will, make it easier to understand exactly what’s happening,” he said.

As far as these two tech reporters are concerned, we’d appreciate it.

Audio produced by Patricia Sulbarán.