Vevo Hackers Release Then Delete 3TB Of Internal Files

Matthew Broersma,
music festivals

The white-hat hacking group OurMine said it released the files after a Vevo employee allegedly told them, ‘f– off, you don’t have anything’

Vevo has acknowledged its systems were breached by a notorious hacker group after more than 3 TB of internal data was released online – and then removed at the company’s request.

The Saudi Arabian-based OurMine group, which claimed responsibility for the hack, claims to breach organisations’ systems in order to demonstrate security weaknesses.

In August, the group caused DNS servers to redirect WikiLeaks traffic to their own server and took over HBO’s Twitter account, while previous targets have included Facebook chief Mark Zuckerberg, Twitter chief Jack Dorsey, Netflix, Marvel, Google, BuzzFeed and TechCrunch.

Files deleted

OurMine sells security services and uses the hacks to publicise its offerings.

In a post on its website the group said it initially contacted Vevo about security issues but was allegedly told by an employee, “Fuck off, you don’t have anything.”

vevo-ourmine
Screenshot from OurMine’s website.

In response, the group initially made about 3.12 TB of files available via a link on its site, but told technology news site Gizmodo it would remove the files if Vevo asked it to do so, and it later said it had complied with such a demand.

“We deleted the files because of a request from VEVO,” OurMine said in a message added to its site on Friday.

The cache reportedly contained a office documents and promotional materials, as well as internal dossiers on about 90 artists including Ariana Grande, Katy Perry, Taylor Swift and U2.

But some of the materials appeared sensitive, with Gizmodo, for instance, publishing a document that appeared to give the code used to deactivate an alarm on the first floor of Vevo’s UK office.

Do passwords have a future in cybersecurity?

View Results

Loading ... Loading ...

‘LinkedIn scam’

OurMine said it had compromised an employee’s account for the Okta single sign-on service, and Vevo confirmed a member of staff had been hit by a phishing attack.

Vevo said the breach resulted from a “phishing scam via Linkedin”.

“We have addressed the issue and are investigating the extent of exposure,” Vevo stated.

Vevo is a joint venture between the “big three” music labels, Universal Music Group, Sony Music Entertainment and Warner Music Group, and is also part-owned by Abu Dhabi Media and Google parent Alphabet.

In 2014 Sony Pictures Entertainment was hit by hackers who released large amounts of the company’s internal data, and over the summer HBO was threatened with extortion by hackers who claimed to have obtained about 1.5 TB of sensitive files.

The hackers released unaired episodes of popular programmes after HBO failed to pay a ransom of around £5m.

Do you know all about security in 2017? Try our quiz!