Spotify Is Publishing AI Tracks of Dead Artists - The 404 Media Podcast

Summary5 min read

The 404 Media Podcast: Spotify Publishing AI Tracks of Dead Artists

Episode Release Date: July 23, 2025
Host: Joseph
Co-Hosts: Sam Cole, Emmanuel Mayberg, Jason Kebler

1. Introduction to the Episode

In this episode of The 404 Media Podcast, host Joseph and co-founders Sam Cole, Emmanuel Mayberg, and Jason Kebler delve into two pressing issues at the intersection of technology and media: the unauthorized publication of AI-generated music by deceased artists on Spotify and the alarming trend of hacked data being sold to debt collectors.

2. Spotify's Unauthorized AI-Generated Music

a. The Incident with Blaze Foley

Emmanuel Mayberg introduces the first major story, focusing on Blaze Foley, a lesser-known country singer from Texas who tragically passed away in 1989. Emmanuel explains:

"[03:45] Emmanuel Mayberg: ... Blaze Foley was a country singer, songwriter, poet from Texas, tragically killed in 1989... After his death, his record label owner found a live recording from his last show and decided to release his music posthumously on Spotify."

Recently, Spotify's official Blaze Foley page began featuring a new song titled "Together," purportedly released on July 14. However, fans and the 404 Media team quickly realized these tracks were not authentic Blaze Foley songs but AI-generated content. Emmanuel states:

"[05:24] Emmanuel Mayberg: The song 'Together' was uploaded to Blaze Foley's official Spotify page, claiming a release date after his death. Fans recognized the discrepancy as the style didn't align with Foley's authentic gritty, acoustic sound."

b. Spotify's Response and Underlying Issues

Upon investigating, Emmanuel discovered that the unauthorized tracks were linked to a company named SyntaxError, which appeared to be the source of these fraudulent uploads. Spotify's response was limited:

"[15:19] Emmanuel Mayberg: Spotify removed the flagged songs, stating they violated their deceptive content policy, but provided minimal information about the distributor, SoundOn."

SoundOn, a music distribution service owned by TikTok, facilitates the distribution of music to platforms like Spotify. The issue suggests a potential vulnerability in Spotify's verification process, allowing malicious actors to upload unauthorized AI-generated tracks under legitimate artists' profiles.

c. Broader Implications for AI in Music

Jason Kebler expands on the broader context of AI-generated music:

"[19:15] Jason Kebler: Lawsuits against AI music platforms like Suno and Udo are likely to settle, leading to more AI-generated content proliferating across platforms like Spotify. This raises concerns about authenticity and the integrity of artists' legacies."

Joseph emphasizes the ethical dilemmas posed by such practices, highlighting the challenges in distinguishing between human-created and AI-generated content and the potential harm to artists' reputations.

3. Hacked Data Sold to Debt Collectors

a. The Emergence of Farnsworth Intelligence

Joseph transitions to the second major story, revealing how a startup named Farnsworth Intelligence is commodifying hacked data:

"[26:42] Joseph: Farnsworth Intelligence, a private cybersecurity firm, is repackaging data hacked from approximately 50 million computers and selling it to debt collectors, known as skip tracers. This includes sensitive information like passwords, email addresses, and billing details."

Emmanuel adds context about how this data is typically acquired:

"[28:09] Emmanuel Mayberg: Data is often stolen via malware bundled with pirated software, such as cracked versions of Photoshop. Once installed, this malware harvests sensitive information from users' browsers."

b. Ethical and Legal Concerns

The discussion delves into the ethical implications of selling such data:

"[34:31] Joseph: The use cases for this data are concerning. While it can aid law enforcement with warrants, it also facilitates unethical practices like harassment by debt collectors and competitive intelligence against rival companies."

Emmanuel references legal perspectives, citing a privacy lawyer from Epic:

"[36:43] Emmanuel Mayberg: A privacy lawyer pointed out that even if data is publicly available due to a breach, it remains illegal to use it in court, as seen in the Ashley Madison case."

The team contemplates the potential for misuse and the lack of regulation surrounding the sale and application of hacked data, raising alarms about privacy violations and the revictimization of individuals whose data has been compromised.

c. Comparison with Existing Cybersecurity Tools

Joseph contrasts Farnsworth Intelligence's offerings with established tools like Have I Been Pwned:

"[37:04] Emmanuel Mayberg: Unlike Have I Been Pwned, which alerts individuals about breaches without exposing raw data, Farnsworth provides direct access to sensitive information, exacerbating privacy risks."

They discuss the potential for abuse, emphasizing that unrestricted access to raw hacked data can lead to severe ethical and security issues.

4. Expert Opinions and Future Implications

Both stories highlight significant gaps in current digital platforms' ability to safeguard against unauthorized content and data misuse. The podcast underscores the necessity for:

Enhanced Verification Processes: Platforms like Spotify need robust systems to prevent malicious uploads.
Stringent Regulations: There is an urgent need for legal frameworks governing the sale and use of hacked data to protect individual privacy.
Ethical AI Development: As AI becomes more integrated into content creation, ethical guidelines must be established to prevent exploitation and preserve the integrity of artists' works.

5. Concluding Thoughts

The episode wraps up with reflections on the rapid advancement of technology and its implications for media integrity and personal privacy. Joseph encourages listeners to stay informed and support ethical journalism through subscriptions to 404 Media.

"[21:21] Joseph: ... we're seeing AI-generated music infringing on artists' legacies and startups exploiting hacked data for questionable purposes. It's a call to action for better protection mechanisms and ethical standards in the digital age."

Key Takeaways

Unauthorized AI Music: Spotify's platform has been compromised with AI-generated tracks attributed to deceased artists, raising ethical and verification concerns.
Data Exploitation: Startups like Farnsworth Intelligence are repackaging hacked data for use in debt collection and competitive intelligence, highlighting glaring privacy issues.
Ethical and Legal Gaps: Current systems lack adequate safeguards against such abuses, necessitating stronger regulations and ethical guidelines.
Future of AI in Media: The integration of AI in content creation must balance innovation with respect for artists' rights and individual privacy.

For listeners interested in exploring these topics further or supporting ethical journalism, subscribe to 404 Media at 404media.co. Subscribers gain access to ad-free content, bonus episodes, and exclusive insights into the stories shaping our technologically driven world.

Loading summary

Transcript59 lines

[00:04]
Joseph
Hello and welcome to the 404 Media podcast where we bring you unparalleled access to hidden worlds, both online and IRL. 404 Media is a journalist founded company and needs your support. To subscribe, go to 404 Media Co as well as bonus content every single week. Subscribers also get access to additional episodes where we respond to the best comments. Gain access to that content at 404 Media co. I am your host, Joseph and with me are the 404 Media co founders, Sam Cole.
[00:34]
Sam Cole
Hey.
[00:35]
Joseph
Emmanuel Mayberg.
[00:36]
Emmanuel Mayberg
Hello.
[00:37]
Joseph
And Jason Kebler.
[00:39]
Jason Kebler
Hello. Hello.
[00:41]
Joseph
All right, straight off the top, I would just remind people that we're having an event in Los Angeles July 30, Wednesday at 6pm 404 Media subscribers get in for free. There's going to be free wine and beer with going to do a live podcast recording. It's most likely going to be about the technology that powers Immigration and Customs Enforcement. Obviously that has a ton of relevance to Los Angeles recently. I believe we might have some guests, but we're finalizing that there's a link in the show notes. Sign up if you're a subscriber in Los Angeles and come along for some free booze and to hang out with us and meet like minded people. If you're not a subscriber, it's $10 to get in. But to be honest, that's also the cost of a subscription. So just subscribe. I don't know. That would make more sense.
[01:36]
Sam Cole
Yeah.
[01:37]
Jason Kebler
If you don't look at the show notes, you can find the event page by going to bit ly. So bit ly404 Rip Space. Rip Space. That's the name of the venue that we're having it at. So it's bit ly404 ripspace.
[01:55]
Sam Cole
And if you're not in Los Angeles, we are going to probably attempt to.
[01:59]
Jason Kebler
Do some live streaming beforehand. No promises. We are going to try to set it up though, just to experiment with something new. Could be fun. So I guess if you're online Wednesday afternoon, check our socials, et cetera, we may be going live hopefully.
[02:18]
Joseph
Yeah. Still not sure how we're going to do that, but I think it'll be a fun experiment and just doing these events gives us a chance to try something new. The other piece of housekeeping before we get to this week's stories is that we just published a wave of our ICE coverage in Spanish. We got a professional team of translators to translate into Spanish that for us it's something like eight articles. If you are a subscriber and you follow via an RSS feed. You probably just got a bunch of Spanish articles into your feed. And I got some comments with people asking, oh, what's going on? And then it became clear what was happening, which is that we think this coverage is really important and more people should be able to read it. So we've taken money kindly given to us by our subscribers and paid for this to be translated. So if you see that on the site, that's why. And if you think of anybody who really could do with reading that coverage, of course, please send it to them as well. All right, let's get into this week's stories. The first is one from Emmanuel. The headline is, Spotify publishes AI. AI Generated Songs from Dead Artists without Permission. I mean, kind of spoils it in the head almost. There isn't really a twist here. It's very, very on the nose and very clear what this is going to be about. But this sort of starts at the beginning. Emmanuel, who is Blaise Foley? I hope I'm pronouncing that correctly. Who is that exactly?
[03:45]
Emmanuel Mayberg
Yeah. So I'll just. I'll give the caveat that I'm not a big music expert and definitely not a country music expert, but I was very interested in Blaise Foley's story, who I frankly only learned about from reporting the story. But he was a country singer, songwriter, poet from Texas, was performing mostly in Texas, I believe, mainly active in the 80s. He was tragically killed in 1989, and as far as I understand, died mostly on unknown. Like, people knew him in the Texan music scene, but he wasn't like a very famous country singer. And after his death, somebody who owns a label in Texas discovered a live recording of what I think was his last live show a few days before he was murdered. And he just loved it. When looking for more recording of his music, got in touch with his mother and asked for permission to put all his music out. And he did. This is Craig McDonald, who I talked to for this story. He runs Lost Art Records, and they are like the company that puts all the music. And since he did that, he got posthumously, like, more famous and kind of is like a loved country singer whose music is on Spotify thanks to MacDonald.
[05:25]
Joseph
Yeah. And with all that context, a little bit weirdly, he allegedly has a new song called Together. I'm gonna play just a few snippets of it. I'll probably jump through, but here's a little bit of that. It's just that the night has fallen And I wanna be with you. Okay, so what's the issue with this song? I think there are two issues. The first one's pretty obvious that he's not alive. What's the second issue?
[06:05]
Emmanuel Mayberg
So, yeah, I mean, according to the Spotify page for this song, which appeared on Blaze Foley's official Spotify page, like if you search Spotify for Blaze Foley and you went to his official artist page, you would see this as his latest song. It claimed to have been released on July 14, which doesn't make sense because he's dead. And then also, if you were a Blaze Foley fan, you would immediately know that this is not his music. I think Jason and Sam listen to some country music and from what I understand, this is kind of like maybe like modern country music adjacent, maybe. But this is not the kind of music that Blaze Foley put out. And I don't know if we can or want.
[07:01]
Sam Cole
I have to admit, I don't know.
[07:02]
Jason Kebler
Much about Blaze Foley either. I do listen to country sometimes, but this doesn't really sound like him.
[07:10]
Emmanuel Mayberg
Yeah, it's like super produced and like, I don't know what the correct term for it, but like pop country or something like that. And he was like, way more gritty, kind of like alone on an acoustic guitar kind of vibe.
[07:24]
Jason Kebler
I will say real quick, the fact that he's dead doesn't necessarily mean, like, no new music comes out. Just because it's like there's been so many artists. Like, Elliot Smith died and then released like four more albums because his, like, state went through his demos and started releasing them. Like, Tupac, what the joke was like, Tupac. Have you heard Tupac's new album, like 15 years after he died? Same with like juice, wrld, et cetera.
[07:49]
Sam Cole
But like, to be clear, these are not.
[07:52]
Jason Kebler
This is not that. This is like nothing like that.
[07:55]
Joseph
Well, Emmanuel, maybe it's helpful to go back a little bit and just tell us how did you learn about this? And we'll get to the fact that it's AI Generated in a minute. And maybe that was in the original tip as well. I will say that us just listening to it now, I mean, I haven't listened to a ton of AI Generated music. We have spoken about it on the podcast before. We have played snippets on the POD before as well. And that was very, very obvious then. This was like more than a year ago. And it has that, like wishy washy, almost dreamlike quality. I don't know, I listened to that. Sounds like that could be a recording, but that's getting a little bit ahead of ourselves. How did you learn about this?
[08:34]
Emmanuel Mayberg
First of all, I first learned about it from a Reddit post that I believe was posted to R Artificial, which is a AI subreddit. But it was from someone who was a fan of Dave Foley and they just shared a screenshot of that Spotify page, which, by the way, doesn't only include this AI generated song. It includes like an AI generated image of the artist who is like a young, I don't know, like punk singer of some kind. Again, not Blaze Foley, who has like a cowboy hat and a big beard and mustache. You know, looks like a Texan country singer. And they were like, this sucks. Like, this sucks. I'm a fan of him. And like, this is super disrespectful. And we know that there's AI music on Spotify. This is not something that Spotify has banned. I don't know, someone could argue that this having a lot of AI generated tracks on Spotify benefits them. But the fact that it was flagged by a fan first and the fan said this is super disrespectful to a dead artist is obviously what caught my attention and why I decided to look into it. Immediately verified that this happened, verified that it has happened to other people. And I was like, who do I talk to in order to verify this? You can talk to the artist. He has died. So I looked at who manages his music and reached out to this record company and then ended up talking to Craig McDonald who was quite nice and also understandably offended who he does this as a business, but clearly it is a passion project that he got into out of like respect and love for this. This guy's music. It was horrified that this happened.
[10:30]
Joseph
Yeah, I was going to ask, just to elaborate on that. You say he was horrified. What was his reaction to this happening? And did he already know or were you the one who told him or he knew.
[10:43]
Emmanuel Mayberg
He said that his wife noticed that the day before. They had not. It was over the weekend, so they had not contacted Spotify yet. He did contact like a distribution partner who he believes kind of manages some of the Spotify end of things. And he had not heard back from them. I reached out to them as well and I have not heard back from them either. His reaction, kind of like, I think he had two main points. The first is like he put the music on Spotify not because it was some genius money making scheme, because artists make a lot of money on Spotify. You know, it's just like, even if Millions of people listen to Blaze Foley on Spotify. That would not really benefit him a lot financially. He put it on there because he was like, oh, more people could discover this guy's music, who I love and I want to share with the world. And it's like a really easy way to access it, so I'll put it there. I think totally fair. And he was in a situation where this page that he was allegedly in charge of without his permission, suddenly put this fake, bullshit, bad music in front of people and said, hey, this is actually Blaze Foley. And you know, that he found damaging because it misrepresented the artist, it disrespected his music, et cetera. So that's the first point, which I think is totally fair. The other one, he was like, I'm not an engineer, I'm not a computer guy, I'm not an expert. But he was like, I feel like this should be easy to fix. Like, I feel like this should be easy to fix and prevent entirely with the simple addition of, like, hey, if I manage this page, could Spotify please check in with me before they add anything else to the page? And I thought, like, yeah, that sounds like a totally fair way to handle this. So that's kind of. That was his response.
[12:32]
Joseph
Yeah. And you mentioned this, but there's something I just want to stress, which is that this is not just like the earlier examples of AI music. There was a Drake track a couple of years ago, or people didn't know whether it was Drake or not. And impersonating of AI, blah, blah, I don't have to go into all of that. But that happened. This is that. But also, Spotify is representing it as from the official account, from the official page of this artist. And I think that's what really stings a lot here. Before we just get to a couple more questions, what are some other examples then? So it's not just one artist you found? I think a couple more as well. Right?
[13:18]
Emmanuel Mayberg
Yeah. So there is another singer, songwriter, also a country singer songwriter named Guy Clark. He actually won a Grammy and he's, you know, much more famous than Blaze. And he had a song called Happened to youo, which was also AI Generated. It seems to have come from the same place as the fake Blaze song. And that is. That seems pretty clear to me. Based on, again, it had the same kind of AI generated image of a guy who looked nothing like Guy Clark. And there was a copyright at the bottom of both pages, both indicating that the copyright belonged to a company called SyntaxError, which I couldn't find any traces of online other than a few Spotify pages that were AI generated songs on the pages of real human artists on Spotify. So there's Guy Clark and then another one, a singer named Dan Burke, who I think is relatively unknown and is very much alive, had one of these songs on his page. I reached out to him. I haven't heard back. If anybody knows Dan Burke, please hit him up and tell him to get back to me. I'd love to hear his perspective. And yeah, I ran all of these by a company called Reality Defender who we mentioned a few times, and they do like deep fake detection. And they said all the songs seem to be AI generated.
[14:55]
Joseph
Gotcha. So do we know exactly what is going on here? Like, how are these AI generated songs, which aren't made by the original artist, how are they ending up on the official profiles of real artists? Is it something to do with how people upload tracks to Spotify or something? Or mischaracterizing? Like, do we have any insight into that yet or does that come later, you think?
[15:20]
Emmanuel Mayberg
So I published a story and then immediately after I published Spotify came back to me and said that they removed all the songs that I mentioned here and that I flagged to them all these songs that were uploaded seemingly by this entity called syntaxerror. And what Spot. What Spotify claims is. I'll just read what they said. We flagged the issue to Sound on the distributor of the content in question. It has been removed for violating our deceptive content policy. That's kind of like the extent of their statement. And I was like, okay, interesting. What is this? What, what is Sound on? This is like the first time that Sound Soundon has been mentioned by anyone that I talked to and like entered the conversation. Soundon is a company owned by TikTok and is essentially a music distribution company that TikTok runs. It exists primarily. So if you're an artist and you want to put your music up on TikTok and monetize it, you can do it via Soundon. So you upload it to Soundon, they make it easy to put it on TikTok and then like earn your royalties that way. They also handle distribution to other platforms. So if you use Sound on, you don't have to just put it on TikTok. You can also take it to Apple Music, to YouTube, to Spotify, maybe Tidal as well. And so I don't know, we don't know for a fact what has happened, but it seems like somebody basically created like a fraudulent this is my theory. Somebody created a fraudulent sound on Profile and then used it to upload music to the official pages of all these other artists on all these other platforms. And for whatever reason, nobody bothered to check or the check, like the. The verification system wasn't good enough to detect that this has nothing to do with Blaze Foley or his estate or Dan, or with Dan Burke or all these other people. And I want to know more about this. So if you're listening and like you're a musician and you have stuff up on other platforms and this is happening to you, I've already heard from quite a few people that this has happened to them. And it definitely seems like something is messed up in the distribution of online music, which includes all these middlemen between the artists, the record company and the platforms where some fuckery seems to be happening. And what happened here. And also, sorry, another thing I heard since, like a lot of people flagged other AI generated music to me that was attached to the pages of real artists and it seems like a bunch of them got nuked and I might do a story on that later and see how much of this music was actually removed. But my bet is also that sound on just killed this one bad player and that took down all this bad music at the same time.
[18:21]
Joseph
Yeah, that makes sense. And I think just to end. And Jason, you wanted to give us an update on AI music?
[18:27]
Jason Kebler
I just wanted to say that, like, this seems like it was, I guess, let's say, a bad actor trying to populate this person's official Spotify profile. And we have heard this sort of music showing up on other platforms as well. But there's been recent articles about AI generated music and like, artists who don't exist that have gone viral on Spotify and, you know, are racking up millions of streams. And one, it's like, I don't know, that's. That's like the future that we're in now. Like, there's AI slop all over Spotify and then there's also like, I don't know how to say it, but like slightly better AI music that's like more produced, that's showing up on Spotify.
[19:14]
Sam Cole
And a few months ago we were.
[19:16]
Jason Kebler
Talking about these lawsuits by Universal Music, like Sony, a few other, like, major record labels against Suno, which is an AI music generation platform. And at the time it seemed like this was going to be like, perhaps a pretty interesting lawsuit. Like it was probably going to lead to some sort of consequences for Suno and Udo, which is the other major AI music generation platform. But in recent weeks there's been reporting saying that Universal and some other really big record labels are most likely going to settle this case and they're most likely going to sign some sort of licensing deal, which I guess maybe we should have known was the most likely ultimate outcome of this. But it seems more likely that record labels are going to try to integrate AI music generation like into their own ecosystem. And like, I personally think the end result of that is going to be like just way more AI generated music on every platform, all over the place. Like, I don't see it ending super well. And so that's just to say like this phenomenon that Emmanuel has found and is like super disturbing because it's taking advantage of real life artists and hijacking their pages and watering down what they're doing. But I do think that these platforms are getting increasingly overrun with AI generated music. And I think very soon record labels are like, see the ability to generate music without artists and to do it super cheaply and take like a lot of shots at publishing music and trying to have a hit without having to pay human beings. And I just like really worry about where that's going. So I'm sure that we'll continue to cover it. But this big time lawsuit really seems like it's probably not going to move forward and there's going to probably be some big alliance between the AI music makers and the record labels.
[21:21]
Joseph
Yeah. And not just not pay people, but also gather the skills themselves to become a musician and develop music. Very, very quick shout out. If you're interested in somebody who is producing generative music, which can do sort of the promise of AI, but it does it in a much more ethical and interesting way. People should check out somebody called Tim Exile, who I've followed for years, and he's been releasing some really, really interesting technology software and hardware over the past couple of months. And I'm hoping to cover him at some point as well. All right, we'll leave that there. When we come back, we're going to talk about a story I wrote about. You know, another interesting way to put it lightly, the hack data is being used or sold to debt collectors. We'll be right back after this.
[22:22]
Jason Kebler
True or false?
[22:23]
Sam Cole
Incognito mode makes you invisible on the Internet. The answer is false. Most people have no idea. But your browsing history can still be monitored and even recorded unless you use Express vpn. A lot of content on the Internet, whether it's from Netflix, Disney, BBC, iPlayer or porn. If you're in one of the states. With age verification laws can be blocked.
[22:44]
Jason Kebler
Based on your location.
[22:45]
Sam Cole
ExpressVPN lets you change your online location so you control where a given website.
[22:50]
Jason Kebler
Or streaming service thinks you're located.
[22:53]
Sam Cole
They have servers in over 100 countries so you can gain access to thousands of new shows and never run out.
[22:59]
Jason Kebler
Of stuff to watch.
[23:00]
Sam Cole
ExpressVPN is easy to use, just click one button to change locations. It works on your phone, tablet, smart tv, laptop, whatever you're using. And unlike a lot of other VPNs, ExpressVPN is fast, meaning you can stream in HD with no buffering. I personally use ExpressVPN for my reporting all the time to see whether a site is blocked in a specific state or country and to circumvent these blocks. I've lost count of the number of times I've used ExpressVPN while reporting a story, and I've started using it in my personal life too to make sure.
[23:30]
Jason Kebler
I can watch what I want.
[23:32]
Sam Cole
Protect your online privacy today by visiting expressvpn.com 404 that's E X P R-E-S-S vpn.com 404 to find out how you can get up to four extra months free. Expressvpn.com 404 we don't usually associate speed with quality. That's why we usually spend a while on our best work making sure to bring you quality journalism rather than mass produced stuff. Or if you ask AI to do a report, well, you're probably going to have problems. But there is an exception to this rule. If you're hiring, you can find candidates fast who are also extremely qualified for your job. Just use ZipRecruiter and right now you can try ZipRecruiter for free at ZipRecruiter.com 404 Media Check out ZipRecruiter's advanced resume database where you can proactively find the best candidates and contact them within minutes. 320,000 new resumes are added monthly, meaning you'll be playing in a deep talent pool to fill your roles with quality candidates Sooner. No wonder ZipRecruiter is the number one rated hiring site based on G2 experience, hiring speed and quality. With ZipRecruiter, four out of five employers who post on ZipRecruiter get a quality candidate within the first day. And if you go to ZipRecruiter.com 404Media right now, you can try it for free again, that's ZipRecruiter.com 404Media ZipRecruiter the.
[25:00]
Unnamed Speaker
Smartest way to hire this is an ad by BetterHelp. Lots of us who work take a short vacation over summer, but workplace stress is one of the top causes of declining mental health. A vacation helps in the short term, but most of us can't wave goodbye to work. To battle stress, we can start small with a focus on wellness, meditating, taking a walk, trying not to answer emails at all hours of the day. But longer term therapy can help you navigate whatever challenges the workday or any day might bring. Therapy can help you learn positive coping skills no matter what you're going through, and can help empower you to become your best. With over 30,000 therapists, BetterHelp is the world's largest online therapy platform. Having served over 5 million people globally. It's the most convenient way to fit therapy into your busy schedule. You can join a session with a therapist at a click of a button, reschedule appointments easy, and switch therapists at any time. As the largest online therapy provider in the world, BetterHelp can provide access to mental health professionals with a diverse variety of expertise. Unwind from work with Better Help, our listeners get 10% off their first month at betterhelp.com 404media that's betterhelp hlp.com 404media.
[26:27]
Emmanuel Mayberg
So our next story is from Joe. The headline is a startup is selling data hacked from people's computers to debt collectors. Joe, what is this company? Where is this data coming from? Who is it selling it to?
[26:42]
Joseph
Yes, so to give the very high level view, and of course we'll drill down on all of this. Some words may not make sense immediately, but there's this company called Farnsworth Intelligence, like a private intelligence cybersecurity company. And they're taking data that has been hacked from people's computers, passwords, email addresses, billing addresses, sometimes even more information. They're then taking that from something like 50 million computers, repackaging it and selling it to skip tracers, which is a fancy term for debt collectors. Basically people going through divorce proceedings or even companies looking to poach their rivals customers. It's pretty audacious. I have not seen hacked data sold like this for these purposes. And that's why I pulled it out. It's a really telling story about how this data is now being viewed by the cybersecurity and sort of the broader open source intelligence industry as well. Like people don't just consider Osint as posts on Twitter anymore. Some companies and people also consider data Hacked from computers to be so called Osint as well.
[28:09]
Emmanuel Mayberg
Something I think is interesting or might be useful to listeners is that we are very used to, and I'm used to it because of your reporting. But you know, we'll find out about a giant hack of T Mobile or something. And one of the ways we find out about it is that there's these forums where people sell this data. So people compromise a bunch of machines in various ways. All this hacked data is floating around. People compile it and then sell it in like huge batches on forms. And like this kind of happens fairly in the open. Right. So it's like all this data is floating around all the time. We know it happens, but it's very much like criminal underworld, black market, gray market stuff. And this is basically the same data being offered by a legitimate company. Right? It's like it's the same kind of data or the exact same data.
[29:14]
Joseph
Yeah. And there's some nuances in how infosteela data specifically is distributed which will, which we might get to, but broadly. Yeah, that's absolutely right. You have these forums where every single day hackers are either just dumping publicly for free because they feel like it, or in many cases they're selling it as well. And you have to buy credits with the underground forum to then unlock the data, then you download it and blah blah, blah. This happens with essentially every data breach that ends up being public facing. Maybe not the ransomware stuff because there's extortion there and you know, we won't publish it if you pay us. That's the entire point. But if you hear about a large profile or breach nowadays, very good chances posted to one of these websites, as you say, this company is basically taking that or similar data and then offering it to these industries. And I think that's very, very important because some people may argue, well the data's out there, so why can't I just repackage it or whatever. I don't think a random debt collector is going to know the underground hacking forum where they can get this information. Also, it's very messy sometimes on the underground hacking forum. Whereas here, Farnsworth Intelligence is taking that data, presumably cleaning it or at least formatting it in some way so it can actually appear in a search tool and making it all very easy to access and searchable specifically for these industries. If you're a divorce lawyer in some fancy tower in a big metropolitan city or whatever, and you're dealing with these big high profile divorce cases, you don't know where to go to find that data on the Internet, but you can use a private intelligence company like this to find it. So it is really funneling that data to different industries, different people, and different use cases. And that's where the issue is, basically.
[31:13]
Emmanuel Mayberg
Yeah. What's crazy to me, and the reason I was like, you should do this story right now, definitely. And this is more editorializing than we do in the story. And I don't know, Joe, you don't have to respond to this, but it's like, to me, it felt like somebody was looking at the same community black market that you look at every day. And they were like, oh, there's a startup here. We can just tap into an entirely different market if we just repackage the same data for a legitimate client.
[31:50]
Joseph
I do have, I think, a useful way to get into that, which is that more specifically, this data is infosteela data. And that is this really popular brand of malware or type of malware now, which is often bundled with like cracked or pirated software. So you download a cracked version of Photoshop or whatever, you're doing whatever it is you do in Photoshop, and then there's actually some malware in there which is stealing everything stored in your browser. And that's going to be your passwords, email addresses, billing, also just like all the autofill stuff in Chrome or whatever. And we covered this in depth. I actually spoke to the people making the malware and I also spoke to somebody very senior on the Google Security, Chrome security team about that, and we've published that before. But what happens there is that that data is often then fed into these Telegram channels and it's often sold. You have to pay to access it. But then also many of the channels just freely distribute them, probably to advertise the paid offering as well. So to get to your point of somebody seeing a startup here, multiple companies have tapped that data in different ways. There's another company called Hudson Rock, a cybersecurity firm, and Infosteel is basically their entire thing. They will go in, they will bring up the data, and what they would do is they will release these free tools or I believe, paid products as well. And it's like, hey, if you're a company and you're worried about info stealers, we can warn you, if your company is appearing in these credentials, that's a pretty interesting and probably useful use case. That's very different to going to the info stealers, grabbing all and being like, we're now going to sell it to debt collectors. It's entirely different. It's a different question of use case. And it's also different whether you can just search through the data or not as well. And I should add that we're talking about the debt collectors and whatever which you have to apply for. You have to tell him. Sorry, you have to tell the company. This is why I want to have access to it. There is also this public facing version of it which is a little bit more of a limited data set. I could still find very sensitive stuff in there and that costs like 50 bucks to just log in and there's no checks there. You just make an account and then you're searching info stealer data, which is obviously potentially an issue for stalkers or anybody like that.
[34:24]
Emmanuel Mayberg
Yeah, I mean, let's get into that. What did the experts you talked to say about the potential for abuse here and some other use cases?
[34:32]
Joseph
Yeah, I mean, sort of the usual expected stuff came up, which is, this is going to be a boon to law enforcement. This is going to be a boon to law enforcement, has a warrant. Crucially, this is going to be very, very useful for stalkers, that sort of thing. But then specifically on the use cases I pulled out and there are other ones like Farnsworth Intelligence also offers it to cyber risk firms or law enforcement or anything like that. But I pulled out divorces, debt collectors and sort of competitive intelligence because those were the most egregious to me and the divorce. One privacy lawyer I spoke to at Epic, they said, well, this might just be illegal. You can't use this, this data. And she pointed to a previous case with the Ashley Madison data dump, that dating website that got hacked way back when, nearly 10 years ago at this point. Right. And a judge said even though this data has been published publicly because the hackers released it online, it couldn't be used in court because it was still obtained illegally and it was still confidential in some respects. There's obvious issues there. The skip tracing ones, the debt collecting one. Mostly the response to that from the experts I spoke to was just like, this is really unethical. These people have already been the victim of a hack. They've already had malware installed on their computer and now this company is revictimizing them. And not only that, but selling it to somebody who may be trying to chase down a debt and harass them. I think that has obvious ethical consequences. And then the last one, which is, hey, maybe you could buy this data to find people using your rival's products and then you could poach them. You can make like a marketing list or something. The way you would do that is you would find they would have logins for your rival's product. And the privacy lawyer I spoke to said that may even fall under trade secrets law or something like that, depending on what was going on here. So it's a ton of use cases which just don't seem to be particularly well thought out. And also the website's full of typos as well.
[36:43]
Emmanuel Mayberg
Yeah, dibs for us on the blog, but I wonder if you can even use one of the EU or California privacy laws to be like, hey, is my data in here? Like, get rid of it immediately because you're not supposed to have it.
[36:56]
Joseph
That would be interesting because you could definitely search for yourself if you're using the free version. But whether you can get removed or not, I think that's a fair question. Yeah.
[37:04]
Emmanuel Mayberg
So I think most people are probably familiar with have I Been Pwned, which is a pretty useful database of hacks that may have exposed your email or password, which is like somewhat similar to this. Right? It's like a database of hacked data. How would you say this is different than that?
[37:32]
Joseph
Yeah, have I Been Pwned? Run by Troy Hunt, has been for basically a million years at this point. It's a really, really useful service, both for individuals and for companies. And you can do what I just did, which is go to haveibeenpwned.com you type in your email address and it brings up a bunch of breaches that your data has been included in. It doesn't return the passwords, it doesn't return the actual data itself. All it's doing is telling you, oh, you were in this massive data dump of 2.7 billion records or whatever, or you were in this data breach as well, and the data included email address and password that allows you to go, oh, damn, maybe I should change my password or something like that. It's purely a cybersecurity tool, really. More than anything. What's different here is that these infostealer products from Farnsworth are just returning the raw data. And there is a slight difference in that. The public facing version that I paid $50 to use, you don't get the full password, but you do get a ton of other stuff. I found somebody's personal billing address in there, for example, that seemed to be stored in their browser. You do get the full password, it seems, with the sort of the version of the product available to debt collectors and that sort of thing. So there's one difference. And then I think there's one final difference between have I been pwned and services like that and then Farnsworth or really just more infostealer products, which is that have I been pwned Is collating information on breaches from companies. It's like, oh, Adobe got hacked and now we have the Adobe data, the Farnsworth one and others will be based on infostealers, which is malware installed on an individual laptop, probably belonging to an individual person. It is way more personal, simply in virtue of the sort of data that this malware collects. And I'm sure some people will sort of balk at that distinction. Well, hack data is hacked data. I don't know. I think there's something to be said between there's a difference between data being taken from a company server and it being lifted off your personal laptop. Maybe the distinction is very thin, but I think there's something there.
[39:53]
Emmanuel Mayberg
I was going to say that to play devil's advocate. There is an interesting ethical, like a truly interesting ethical question about hacked data that can be used for good. For example, our friend Jordan Pearson at the CBC and a team of international journalists recently exposed the owner of Mr. Deepfakes, which was like the main deepfakes distribution website on the open Internet, a very bad person responsible for a lot of harm that was anonymous that frankly, like a lot of people wanted to expose. And I believe that the way that they eventually exposed him is by leveraging some hacked data versus his username that was public and kind of matching the emails and kind of going from there until they actually located him in Canada where he was working in a hospital and like confronted him and eventually forced him to shut down the website, which is like a huge, I think, net, good for the world because of hacked data. So it's like there's something interesting and sticky there. However, like selling it to debt collectors as like this product from a startup is. I don't know. That seems wrong to me. I think that's like a pretty clear violation of people's privacy.
[41:21]
Joseph
Yeah, I mean, beyond legal implications. And I guess this ties into ethical implications. Ultimately, the use cases are. Are arbitrary. It is always going to boil down to whether somebody feels comfortable or whether they think it's appropriate to use this data for a certain use case. So I personally see no problem using infosteeler malware to identify alleged users of child abuse websites, for example. And people have been doing that. Recorder Future, another cybersecurity firm, they did that. And to be fair to Farnsworth, it Looks like they started doing that as well somewhat recently. So there's one use case. There's another you mentioned. Again, there's journalism as well. Now maybe somebody is in between those and they do think the debt collectors is okay. I don't know. I'm just going to straight up disagree with you and maybe we can have a debate about it. But I guess just the last thing I would add is that. And then on top of all of those, it's also different to have a website where you can just pay $50 and you can just search like, then anybody can use it. And it's like if you are releasing a tool where anybody can use it, you straight up have to be ethically okay with literally any use case because you are morally and technologically responsible for it. Like you are responsible if a stalker goes in there and uses it to find somebody's address because you were making that data available. All right, let's leave that there after the break. We are going to be talking about one of Jason's stories which was in response to this. I don't know, the biggest social media pylon I think I've ever seen. We'll get all into that. You can subscribe and gain access to that content@404 media code. As a reminder, 404 Media is journalist founded and supported. Supported by subscribers. If you do wish to subscribe to 404 Media and directly support our work, please go to 404 Media co. You'll get unlimited access to our articles and an ad free version of this podcast. You'll also get to listen to the subscribers only section where we talk about a bonus story each week. This podcast was produced by Kaleidoscope. Another way to support us is by leaving a five star rating and review for the podcast. That stuff really helps us out. This has been 4 Foam Media. We will see you again next week.