YouTube make it very clear that it didn’t suffer a hack, Vevo did. People began noticing early this morning that music videos from some of the most popular artists in the world, (including Luis Fonsi’s “Despacito,” the most-watched video on YouTube) on Vevo were taken down. The videos were replaced with messages from hackers, and eventually were taken offline while Vevo investigated, information security training researchers reported.
“Vevo can confirm that a number of videos in its catalogue were subject to a security breach today, which has now been contained,” a Vevo representative told. “We are working to reinstate all videos affected and our catalogue to be restored to full working order. We are continuing to investigate the source of the breach.”
Multiple sources told that this wasn’t an attack on YouTube, adding that it didn’t affect any YouTube videos aside from the ones on Vevo’s channels.
“After seeing unusual upload activity on a handful of VEVO channels, we worked quickly with our partner to disable access while they investigate the issue,” a YouTube representative told in a statement.
Vevo is a video platform that’s owned by the three biggest record companies in the United States: Warner Music Group, Universal Music Group and Sony Music Entertainment. Vevo only hosts music videos from artists signed to Universal Music Group and Sony Music Entertainment (such as Taylor Swift, Drake and Adele), and those videos are syndicated on YouTube.
The basic difference between YouTube and Vevo is who has access to uploading videos. Anyone on YouTube can upload a video to YouTube’s main site. This isn’t true for Vevo. Vevo is specifically run by administrators who upload videos to the website and the Vevo YouTube channel. That means people who have access to Vevo’s platform, which is syndicated on YouTube, may not have access to the rest of YouTube overall. All of the videos involved in this hack were uploaded to Vevo’s servers.
This isn’t the first time Vevo has been hacked. Vevo was hacked in 2017, where roughly “3.12TB worth of internal files” were published online, according to information security training analysts at Gizmodo. The attack was coordinated by OurMine, the same group behind the BuzzFeed and TechCrunch hacks, as well as that of Facebook CEO Mark Zuckerberg’s Twitter and Pinterest accounts.
That attack, which targeted the company’s internal documents, didn’t affect YouTube either.
It’s easy to look at Vevo and YouTube as being one company. Vevo accounted for “50 million unique views on YouTube in May 2013, the highest rate of any content partner,” according to The Next Web. That number only continued to grow — “Despacito” is currently the most-watched video on YouTube, with more than 5.02 billion views since its debut in January 2017. YouTube purchased a 7 percent stake in the company in 2013.
While Vevo is investigating the hack, and YouTube is helping Vevo understand what happened, it’s important to note that this wasn’t an attack on YouTube specifically.
Professor Alan Woodward, an information security training expert from Surrey University, told the BBC the hack must have come from stolen authorization codes, as it’s unlikely the company’s servers would have been accessible otherwise.
“To upload and alter video content with code you should require an authorisation token,” Woodward told. “So, either this hacker has found a way around that need for authorisation, or they are being economical with the facts, or they obtained the permissions in some other way.”
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.