The OurMine hacking collective broke into the servers of music video hosting service Vevo and on late Thursday posted approximately 3.12 terabytes of stolen documents and data on its website, in an unusually aggressive attack by the group.
Normally, OurMine is known for accessing celebrities’ or companies’ social media accounts and defacing their corresponding pages. In such circumstances, the group typically claims to be testing victims’ security and offers to help improve their defenses. But the data dump constitutes a more serious infraction, as it involves the posting of private documents.
In conjunction with the dump, OurMine reportedly offered assurances on its website that it would remove the stolen content upon Vevo’s request. By Friday, the materials were indeed deleted.
The hacking group reportedly also said that it executed the dump after contacting Vevo about the server breach, only to be told by an skeptical employee to “F— off.”
According to Gizmodo, much of the leaked material appeared benign, including office documents, videos, promotional materials, weekly music charts, social media content, and minor details on music artists contracted by the record companies that jointly own Vevo. But at least some seemingly sensitive materials were observed, including alarm code instructions for Vevo’s UK offices.
Variety reported that Vevo’s files included notes on around 9o artists, including Ariana Grande, Britney Spears, Calvin Harris, Florida Georgia Line, Jennifer Lopez, Justin Bieber, Katy Perry, Madonna, One Direction, Sia, Taylor Swift, The Weeknd, and U2.
“We don’t know how long they [the hackers] have been accessing the Vevo system or what additional data –financial, email, employee info – the attackers may have…” cautioned Terry Ray, CTO of data and application security company Imperva, in emailed comments.
New York-based Vevo, which is jointly owned by Universal Music Group, Sony Music Entertainment, Warner Music Group, Abu Dhabi Media, and Google parent company Alphabet Inc., acknowledged the breach in an official statement, which revealed that OurMine’s initial method of attack was a social engineering scheme perpetrated via social media. “We can confirm that Vevo experienced a data breach as a result of a phishing scam via LinkedIn,” the statement reads. “We have addressed the issue and are investigating the extent of exposure.”
Phil Tully, principal data scientist at social media security and digital risk monitoring company ZeroFOX, said in an emailed statement that LinkedIn and other social media online services are an effective tool for targeted phishing attacks because it “allows users to create believable online identities and interactions, which can help users build credibility and trust with their real-world peers. For the most part, these fields are publicly-facing, and serve as one of the first things validated upon receipt of a friend request or incoming message.”
“Attackers maximize opportunities for engagement by impersonating legitimate users or by fine-tuning profile fields and interactions to lure targets,” Tully continued. “Once socially engineered, a target’s trust can be leveraged to extract personal information or deliver malicious payloads.”
Sam Curry, Chief Security Officer at endpoint threat detection company Cybereason, said in emailed comments that training company employees to identify and avoid phishing scams is not a panacea, and that technology must be created “for how users really behave and not some mythical ideal user.”
“Today, the million-dollar solution doesn’t exist, but as an industry we can start building solutions that work with how people really behave instead of continually trying to change their behavior, because between now and the end of mankind people will keep clicking on stuff,” said Curry.
In April 2017, OurMine executed what it called the largest hack in YouTube history, after changing the written content on hundreds of the video service’s channels. Even more recent OurMine shenanigans include defacing WikiLeaks’ home page, hacking Real Madrid’s Twitter accounts, and hacking HBO’s Facebook and Twitter accounts.