Despacito YouTube video hack – teenagers charged

Web defacement is supposed to be an old-fashioned type of hack, but it probably didn’t look that way to YouTube viewers on 10 April this year.

That was the day a string of popular videos were defaced on the service, including songs by Chris Brown, Shakira, DJ Snake, Selena Gomez, Drake, Katy Perry, and Taylor Swift, many with pro-Palestinian messages and imagery.

The biggest attention-grabber of all was the defacement of Luis Fonsi and Daddy Yankee’s song Despacito – which with more than five billion views ranks as the most-viewed video in YouTube’s history.

The video was only briefly unavailable, but the attack’s brevity seemed insignificant beside the fact that someone had managed to muck around with gold star content on YouTube in front of millions of watchers.

Six weeks on and police in Paris now say they’ve arrested and charged two 18-year-old teens with the attack, named as Nassim B and Gabriel KAB, who allegedly used the online identifiers Prosox and Kurois’h.

How did two teens allegedly deface so many massively popular videos hosted on a company like YouTube?

It soon became clear that the pair had found a way in by hacking a syndication account operated by Vevo, which is owned by Warner Music Group, Universal Music Group and Sony Music Entertainment, with YouTube itself having a 7% stake.

Admitted Vevo at the time:

Vevo can confirm that a number of videos in its catalogue were subject to a security breach today, which has now been contained. We are working to reinstate all videos affected and our catalogue to be restored to full working order. We are continuing to investigate the source of the breach.

To which YouTube added:

After seeing unusual upload activity on a handful of VEVO channels, we worked quickly with our partner to disable access while they investigate the issue.

The hack comes only a few months after Vevo suffered a major data breach that saw 3.12TB of internal files posted to OurMine.

After which Vevo told USA Today, intriguingly:

Vevo experienced a data breach as a result of a phishing scam via LinkedIn. We have addressed the issue and are investigating the extent of exposure.

It’s not clear how valuable most of these files were although the newspaper noted “one document detailed how to turn off the alarm at Vevo’s UK office.”

If there’s a larger theme in all of this, it’s that attackers are gunning for whole entertainment companies rather than simply trying to breach a few individual websites, as they might have in the past.

The biggest of these include the infamous attack on Sony Pictures in 2014, and content raids on HBO and Netflix during 2017.

Security watchers await more detail of the case against the teens, who face 11 criminal counts in their homeland, France, in conjunction with the Manhattan District Attorney’s Office in New York, home of Vevo.

That might furnish details on the weaknesses that led to the Vevo YouTube defacement. It should make for an interesting – if for Vevo slightly embarrassing – court case.