Hackers Deface Popular Videos Published by VevoPilfered Access Credentials Could Be to Blame
A handful of popular music videos published on YouTube were defaced on Tuesday, with two hackers claiming credit. But Google, which owns YouTube, says that tampering didn't occur directly on its platform.
See Also: HIPAA Audits: A Revised Game Plan
One of the affected videos is Luis Fonsi's "Despacito," a Spanish tune that recently notched just over 5 billion views on YouTube. The BBC reports that the tampering also affected videos by artists including Shakira, Selena Gomez, Drake and Taylor Swift.
At one point, the video "Despacito" would not play. Instead, it had a video still from the TV series "Money Heist" of masked people in red hooded outfits pointing guns. The titles of some videos were replaced with the message "Free Palestine." After the defacements, the videos appeared to be taken offline.
" We are continuing to investigate the source of the breach."
Google says the tampering did not occur on its side. Vevo, which is a joint venture of several major music labels, uses YouTube as a publishing outlet.
"After seeing unusual upload activity on a handful of Vevo channels, we worked quickly with our partner to disable access while they investigate the issue," Google says in a statement.
Vevo said on Tuesday that a number of its videos "were subject to a security breach today, which has now been contained."
"We are working to reinstate all videos affected and our catalogue to be restored to full working order," Vevo said. "We are continuing to investigate the source of the breach."
In September, Vevo was attacked by a group calling itself OurMine, Gizmodo reported at the time. The group posted a heft 3.1TB of data online, most of which appeared to be internal documents, the publication reported.
'I Love YouTube'
Two hackers going by the nicknames Prosox and Kuroi'sh claimed credit for the attack against Vevo. Prosox, who posts some messages in French, appears to maintain the Vevo attack was a prank.
Although it's somewhat difficult to draw a clear meaning of the messages posted in English, Prosox says a script was used to change the title of the videos.
"Don't judge me," Prosox writes. "I love YouTube."
@YouTube Its just for fun i just use script "youtube-change-title-video" and i write "hacked" don t judge me i love youtube <3— Prosox (@ProsoxW3b) April 10, 2018
In another tweet, Prosox indicates more harm could have been done, such as deleting all of Vevo's videos. Prosox directed one tweet at Vevo, writing that "you have all my respect but do not leave the control to your site to any developer."
@Vevo You have all my respect but do not leave the control to your site to any developer did not take into account this hacking it was a fun if we would like to harm your customers we would delete all the video but I did not delete despacito must believe me— Prosox (@ProsoxW3b) April 10, 2018
That may be a subtle allusion to an access control issue. It's possible that Prosox and Kuroi'sh obtained access control credentials, which may have given them access to Vevo's content management system. Efforts to reach Prosox via Twitter were unsuccessful.
The Vevo incident is the kind of prosaic prank that harks back to the band of attackers known as LulzSec, which carried out a string of high-profile attacks aimed at embarrassing those who were compromised rather than making a profit.
LulzSec was a loose-knit offshoot of Anonymous that carried out an extensive campaign of website defacements and attacks again government agencies. The group succeeded in causing a fair amount of turmoil, and its escapades included breaches at the security company HBGary Federal, the Public Broadcasting System, Sony and Fox.
But the group's noisy promotion of itself on Twitter and other social media caused it to draw attention from law enforcement agencies around the world. By 2012, it was largely inactive after arrests in the U.S., U.K., Spain and the Netherlands (see: LulzSec Leader Strikes Deal with Feds).
The entertainment industry is often the target of attacks. In November, the Justice Department charged 29-year-old Iranian man in relation to a $6 million extortion attempt against entertainment company HBO.
Behzad Mesr, is accused of accused of compromising accounts of HBO employees, allowing him to steal scripts for unaired episodes of the popular show "Game of Thrones" and other confidential information (see: Feds Indict Iranian Over 'Game of Thrones' Hacks).