Some of the biggest stars around have seen content placed on their YouTube accounts without permission over the last couple of days. Taylor Swift has around 40 million subscribers. Justin Bieber? 68 million. Harry Styles, a respectable 12 million. You can even add Eminem and Michael Jackson to the list of those taken over.
Big names, and even bigger numbers.
The last time I can remember an all-out targeted attack on social media musicians was way back in 2007 during Ye Olde Myspace days. While the threat for mischief there was big, this new attack far surpassed it in terms of people seeing dubious content.
Using Vevo as a stepping-stone to musician channels
According to The Record, the attack specifically targeted accounts using Vevo. The people behind it didn’t promote malware links, or spam, or phishing. Instead, they opted to post about a bizarre scam involving a security guard.
The scam involved a man claiming to have “2,000 tumours”, sentenced to 2 years in jail for grabbing around $319,000 in donations for his non-existent terminal illness. The group claiming to be behind the compromise demanded he be set free via their Twitter account.
If you’ve ever watched a music video from a major artist, there’s a good chance you’ll have seen the Vevo logo in the bottom right hand corner. This is the Vevo channel, where content is uploaded. As Gizmodo notes, videos are merged with the musician’s separate YouTube channel. Existing YouTube accounts can also be merged to create Official Artist Channels.
Speaking to The Verge, Vevo said “Some videos were directly uploaded to a small number of Vevo artist channels earlier today by an unauthorized source.”
This is what Vevo’s FAQ page has to say on the subject of how uploads work:
Vevo does not provide access directly to artists. If your music videos have been delivered to Vevo, you must work with your existing Content Provider/Label who will have access to perform these updates.
What about your YouTube security?
You may not be a multi-million album seller signed up to Vevo on YouTube, but you still need to lock down your YouTube account. Any compromise can lead to masses of spam or videos leading users off-site to phishing or malware.
Signing into YouTube requires a Google account. As such, good Google security hygiene means good YouTube security hygiene too. We’ve covered many Google-centric security concerns previously, but here’s some things you can do now to lock down your account:
- Create a strong password, and enable two-factor authentication (2FA). Use the Google Auth app for 2FA rather than SMS codes, this will help you avoid the threat of SIM-swap attacks.
- Don’t share sign-in information with others. If someone contacts you promising riches beyond your wildest dreams, they may ask for your login details to set up some sort of “affiliate” or partnership status. This is a bad idea, and you shouldn’t do it.
- Use Google’s security checkup. This informs you at a glance about recent login activity, device sign-ins, Gmail settings, and more. It’s a handy, focused way to make sense of the sometimes overwhelming range of options available.
- Remove sites and apps you don’t need or recognise. As with many social accounts, you’re able to connect to a variety of services. View connected apps here.
- Keep an eye on the comments posted to your videos. There’s a lot of spam out there and it may sully your reputation if followers end up in bad places via your content.
This should be enough to get your account moving to a place where it’s a lot more secure than before. While the chance of you being hit by an attack like the one above targeting very well known accounts is low, people regularly look to hijack regular YouTube accounts. Let’s not make it easy for them!
The post YouTube channels of Taylor Swift, Justin Bieber, Harry Styles, and other musicians compromised appeared first on Malwarebytes Labs.