Since it’s not summer 2017 anymore, you probably haven’t watched the music video for Luis Fonsi and Daddy Yankee’s hit “Despacito” recently. And that may be just as well. The reigning most-viewed YouTube video was vandalized and then taken off the platform for a few hours on Tuesday morning after hackers infiltrated the account that hosted it.
Other well-known videos by artists like Drake, Katy Perry, Taylor Swift, and Shakira were defaced as well by attackers calling themselves “Prosox” and “Kuroi’sh,” who threatened that they would go after other YouTube channels as well. The music video distribution partnership Vevo confirmed to WIRED that “a number of videos in its catalogue were subject to a security breach today, which has now been contained. We are working to reinstate all videos affected and … are continuing to investigate the source of the breach.”
The attackers replaced some of the music videos with violent images, as with Despacito, which showed gang imagery from the Netflix series “Casa de Papel” before the attackers took the video down. It has since been reinstated, along with its 5 billion views.
YouTube says that the platform itself wasn’t breached. “After seeing unusual upload activity on a handful of VEVO channels, we worked quickly with our partner to disable access while they investigate the issue,” a spokesperson told WIRED. The attackers infiltrated one or more Vevo YouTube accounts rather than attacking the platform as a whole.
How, then, did Despacito disappear? That’s still unclear. But it wouldn’t be the first time a prominent account wasn’t protected by two-factor authentication, allowing attackers to guess the password or obtain it through social engineering attacks like phishing. But even two-factor isn’t foolproof. If an account is set up to deliver authentication codes via SMS, attackers can hijack the text messages to receive the code. Or a clever phish can impersonate a service’s login screen, not only tricking users into voluntarily entering their username and password, but also requesting their two-factor code like the legitimate login page would do. Once the malicious form captures these details, attackers can quickly use them to log in to the account they are targeting while the code is still active.
Observers note that corporate accounts shared by multiple employees are less likely to employ two-factor authentication, because lots of people may need to be able to access them from different locations. Though this doesn’t make using two-factor impossible (or any less important), it can make it impractical. Either way, phishing seems like the likely way attackers penetrated Vevo YouTube accounts, analysts speculate, because of what the attackers did with their advantage.
“If you look at the economics of it, if someone had actually broken into the YouTube platform, that would be valuable,” says Chris Weber, cofounder of the corporate security and penetration testing firm Casaba Security. “Your first inclination wouldn’t be to deface a few videos and run away. But that’s the problem with phishing, it’s such a low-cost attack.”
If attackers had invested significant time and resources into compromising the accounts, they also might have taken the time to execute a more subtle attack, like redirecting ad payments from YouTube into their own bank account instead of Vevo’s.