Guess what happened after VEVO told its hackers to 'f**k off'...

Poor security and ingracious response leads to massive data leak.

VEVO hackers briefly posted 3.12 TB of music service's internal data online

A hacking gang posted 3.12 terabytes of VEVO's internal files online, after the company told them to "f--k off".

The cache of files belonging to the music and video service appeared on 15 September 2017. Included in the data leak were office documents, promotional materials, and other items pertaining to approximately 90 well-known pop artists including Calvin Harris and Taylor Swift.

One leaked file, for instance, documented how the videos of Katy Perry, who suffered a Twitter hack in 2016, had so far generated 12.2 billion views and attracted a gender-based viewing ratio of 54 percent men to 46 percent women.

But some of the files contained more sensitive data. One included the alarm code for the service's UK office. Needless to say, VEVO might want to change that code ASAP.

Gzrtljmffzaryxprem0f

A hacked VEVO file containing an alarm code for the UK office. (Source: Gizmodo)

So who was responsible for this hack?

The OurMine group, a notorious group of hackers which previously launched digital attacks against FC Barcelona, WikiLeaks, and HBO's social media accounts, has claimed responsibility for the leaks.

As reported by Gizmodo, the group apparently compromised a VEVO employee account for the single-sign-on (SSO) workplace app Okta. It then contacted the service via LinkedIn about the hack, causing a VEVO employee to reply with a less-than-courteous response.

Vevo negotiates

A screenshot of OurMine's conversation with VEVO. (Source: OurMine)

Well, OurMine didn't take kindly to those words. So it posted the data online. It doesn't appear the group wanted to monetize the information, however, as it leaked the information for free and said it'd remove the files if VEVO asked.

The service did eventually ask OurMine to remove the documents, and the hacking gang removed some of the download links. According to Bleeping Computer, just one of the remaining URLs actually links to documents for download.

VEVO has confirmed the hack in a statement provided to Gizmodo:

"We can confirm that Vevo experienced a data breach as a result of a phishing scam via LinkedIn. We have addressed the issue and are investigating the extent of exposure."

A LinkedIn phishing scam, huh? Let's hope VEVO makes an effort to conduct phishing education training with its employees going forward. It should also emphasize the importance of employees enabling two-step verification (2SV) on their social media media profiles and other corporate accounts.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

3 Responses

  1. brooke

    September 18, 2017 at 1:45 pm #

    I'm so confused, isn't Okta there to utilize single sign on and 2 factor? Or were they just too dense to turn on 2 factor and were only using it for single sign on. Seems like if they'd used Okta correctly they could have avoided this, or is there some actual vulnerability in Okta or how they were using Okta? There's something missing here!

  2. Unkn01

    September 18, 2017 at 5:28 pm #

    This is only the beggining ..a Big party is coming

  3. Farid Tahery

    September 19, 2017 at 3:08 pm #

    Phishing education for employees is useful, but VEVO may also want to consider educating its employees on manners.

Leave a Reply