Most people send files to collaborators without a second thought — open a new email or text, click attach, hit send. Benjamin Thomas is not most people. “What I normally do is I encrypt it and send it with a 20 character randomized password via email,” he says. “And then I do a verbal confirmation of who the file is going to and deliver them the password through another method.”
Thomas is not employed by the National Security Agency; he’s an engineer who works closely with the rapper Lil Uzi Vert. But since Lil Uzi Vert’s most passionate fans are not fond of waiting for him to release music at his own pace — they want to hear it now, and will happily consume leaked songs in whatever form they can find them — these sort of safeguards are necessary.
Thomas’ precautions have helped drastically reduce the frequency of leaks. “He’s got a real blueprint for engineers to keep sh– under lock and key,” says Jason Berger, a partner at Lewis Brisbois, where he represents a number of producers who frequently collaborate with Lil Uzi Vert. “Uzi’s stuff used to leak a lot,” the attorney notes. “From about March of 2020 until the Pink Tape dropped [in June, 2023], not one f—ing record leaked out.”
But leaks remain a fairly regular occurrence in the music industry, especially in hip-hop, and happen in myriad ways. Despite being digital natives, the younger generation which tends to drive music is susceptible to being swindled: The Federal Trade Commission reported last year that 44% of people ages 20 to 29 said they lost money to online fraud, compared to 20% of people ages 70 to 79. When it comes to music, a lot of leaks boil down to “doing dumb stuff on the internet,” as Thomas puts it.
He puts leak into two different categories: Some stem from carelessness, others from hacking. A lot of the careless leaks are the result of common email phishing techniques.
The producer Warren “Oak” Felder recently received an email from his assistant — or so he thought. “He was asking me for something that made sense: ‘Hey, I need the bounces for some records because management asked,’” Felder says. But one sentence in the email stuck out for its odd construction, so the producer texted his assistant, who confirmed he didn’t send the email. “The amount of fake emails I get is crazy,” Thomas adds.
The same thing also happens by text. “Friends of mine in the industry have fallen victim to people phishing, where they’ll get a text from somebody that is acting like somebody else, maybe an artist, saying they had to get a new phone, for example,” says Anthony Cruz, an engineer who works closely with Meek Mill. Maybe they ask for a demo, or maybe “they’ll send you a link, and that file ends up hacking your entire account,” prying loose any closely guarded tracks.
Obtaining leaks via hacks can be more sophisticated, like the technique known as SIM-swapping. “They’ll first find as much information as they can about the person that they want to hack,” explains the producer Waves, who has an unreleased song with Juice WRLD that’s floating around online due to a leak. “Then they would call your cell phone provider, say, ‘Hey, I lost my SIM card, I just got another one. Can you transfer my number over to this phone?’”
If the perpetrator has been able to glean enough personal information — ranging from troves of previously hacked passwords that exist online to things like a mother’s maiden name — they can waltz past account protections and take over the account of the target phone. “From there, they just look through your email,” Waves says. “Sometimes they’ll even find full Pro Tools sessions and they’ll sell those. Honestly, some of them are pretty good hackers.”
Even if engineers, producers and artists are vigilant about protecting their own phones and computers, that may not be enough. Studios can be surprisingly loose with valuable materials. “A year ago, one of my clients was in one of these major recording studios and all of a sudden he’s hearing a collaboration between an A-list artist and somebody else that nobody even knew happened,” says Dylan Bourne, who manages artists and producers. “He was hearing it by accident in the studio because it was just on the computer.” Thomas “heard a story about somebody sitting outside the studio who logged into the Wi-Fi from a car,” enabling him to make off with files.
And yet another moment of vulnerability occurs when artists ask other acts for features and send over a track. “Now you’re relying on that artist and their team to protect the files,” Cruz says. “It’s out of your hands. A couple of leaks that we have been a part of have been because of that.”
Due to the danger of files ending up in the wrong hands, “a lot of artists are starting to use private servers to share music,” according to Felder. “They’re saying, ‘listen, if you send me the record, don’t text it to me, don’t email it to me.’”
One of Bourne’s clients, a producer, recently had to determine splits on a song he worked on for an A-list artist. The artist convened a listening session on Zoom “so that they could know what it made sense to argue for, but not have access to the song in any capacity,” Bourne says. “In the past people would have sent listening links.”
Another tactic Felder has taken up is “naming things cryptically.” This way, in case someone gets into a Dropbox folder or email and roots around for demos of songs featuring notable artists, at least that person can’t easily figure who is recorded on what.
Leaks are “not a situation that’s going to go away,” Bourne continues. “Artists who care have to get ahead of it and be more protective about the music.”