Another day, another multinational video service brought to its knees by a group of rogue hackers with a bone to pick.
Vevo, the joint venture between Universal Music Group, Sony Music Entertainment, Abu Dhabi Media, Warner Music Group, and Alphabet Inc. (Google’s parent company), was just hacked. Roughly 3.12TB worth of internal files have been posted online, and a couple of the documents reviewed by Gizmodo appear sensitive.
The OurMine hacker squad has claimed responsibility for the breach. The group is well known: They hijacked WikiLeaks’ DNS last month shortly after they took over HBO’s Twitter account; last year, they took over Mark Zuckerberg’s Twitter and Pinterest accounts; and they hit both BuzzFeed and TechCrunch not long after that.
The leaked cache contains a wide variety of office documents, videos, and other promotional materials. Based on a cursory review, a majority of the files seemed pretty mild—weekly music charts, pre-planned social media content, and various details about the artists under the record companies’ management.
But not all of the material was quite so benign. Vevo’s UK office will probably want to get this alarm code changed as soon as possible:
OurMine typically hacks people because, well, it can. The group’s primary goal is demonstrating to companies that they have weak security. In this case, the hackers managed to compromise an employee account for Okta, the single sign-on workplace app. Usually they don’t resort to leaking large caches of files—at least to our knowledge—but in this case it sounds like someone may have pissed them off.
In a post late Thursday, OurMine claimed it leaked Vevo’s files after reaching out to one of the company’s employees and being told to “fuck off.” But they informed Gizmodo by email: “If they asked us to remove the files then we will.”
Of course, Sony (one of Vevo’s joint owners) fell victim to a devastating hack in 2014 after a group of hackers calling themselves the “Guardians of Peace” dumped a wealth of its confidential data online. US intelligence agencies pinned the breach on North Korea (one of the hacking group’s demands was that Sony pull The Interview, Seth Rogan’s comedy about a plot to assassinate Kim Jong-Un.)
According to Business Insider, Vevo locked up nearly $200 million in year long ad commitments this year, thanks to artists like Beyonce, Taylor Swift, and Ariana Grande helping generate some 25 million daily views. They might consider spending some of those earnings on beefing up their security. This could’ve been a lot worse.
We’ve reached out to Vevo, Sony, Warner, Universal, and Google for comment. We’ll update if we hear anything back.
Update 9/15/17 12:40am ET: Responding to our inquiry, a Vevo spokesperson told Gizmodo that the company “can confirm that Vevo experienced a data breach as a result of a phishing scam via Linkedin. We have addressed the issue and are investigating the extent of exposure.”
Additional reporting by Bryan Menegus