Report: Music insider site source of leaked songs

Teenager reportedly gets unauthorized access to pre-release songs on Play MPE, a service record labels use to share recordings with industry insiders, and posts them to a BitTorrent tracker.

Matt Rosoff
Matt Rosoff is an analyst with Directions on Microsoft, where he covers Microsoft's consumer products and corporate news. He's written about the technology industry since 1995, and reviewed the first Rio MP3 player for CNET.com in 1998. He is a member of the CNET Blog Network. Disclosure. You can follow Matt on Twitter @mattrosoff.
Matt Rosoff
2 min read

It's an article of faith in the music industry that pre-release album leaks hurt sales. I don't have the statistics to argue the case in either direction, but it makes sense on a gut level: there's less reason for fans to run out and buy a new record, when they already have the uncompressed files on their hard drives.

Play MPE/Destiny Media

As if the record industry hasn't tasted enough bitter irony lately, a bunch of album leaks over the weekend apparently came from a service used by music labels to share files with radio stations, media, and other trusted insiders.

According to a post on AbsolutePunk, somebody signed up for an account with Play MPE under false pretenses, claiming to be an Australian music critic. Then this person--apparently a teenage boy--figured out how to access music he wasn't entitled to, including upcoming releases by The Black Keys, Macy Gray, Hole, The Gaslight Anthem, and many other artists.

The teenager allegedly downloaded the WAV files, then posted them via What.cd, a private BitTorrent tracker, while discussing his exploits on a message board. Play MPE eventually identified him (not publicly, yet) and shut down his account. It is considering legal action, but the damage is done.

The AbsolutePunk story referred to this kid as a hacker, but looking at his self-described exploits, that term might be a little too strong. It's not as if he did any sophisticated DRM cracking. Rather, he noticed that that the URL in the Web-based download file had the characters "songid=" followed by a bunch of numbers. By changing the numbers, he was apparently able to to get other song downloads that he wasn't supposed to see.

Of course, the message board posts could have been fake, or the poster could have been lying. But assuming that this is all true, I have to wonder how Play MPE could have allowed such an obvious security hole. Unfortunately, the artists will probably be the real losers here. As AbsolutePunk says, if you've downloaded these albums and like them, do their creators a favor, and buy the record when it comes out--perhaps on vinyl.