YouTube wants to make it very clear that it didn’t suffer a hack earlier today — Vevo did.
People began noticing early this morning that music videos from some of the most popular artists in the world — including Luis Fonsi’s “Despacito,” the most-watched video on YouTube — on Vevo were taken down. The videos were replaced with messages from hackers, and eventually were taken offline while Vevo investigated.
“Vevo can confirm that a number of videos in its catalogue were subject to a security breach today, which has now been contained,” a Vevo representative told Polygon. “We are working to reinstate all videos affected and our catalogue to be restored to full working order. We are continuing to investigate the source of the breach.”
By “we,” the representative specifically means Vevo. Multiple sources told Polygon that this wasn’t an attack on YouTube, adding that it didn’t affect any YouTube videos aside from the ones on Vevo’s channels.
“After seeing unusual upload activity on a handful of VEVO channels, we worked quickly with our partner to disable access while they investigate the issue,” a YouTube representative told Polygon in a statement.
This isn’t the first time that Vevo has been attacked — and that’s where things get tricky.
Vevo is on YouTube, but it doesn’t belong to YouTube
Vevo is a video platform that’s owned by the three biggest record companies in the United States: Warner Music Group, Universal Music Group and Sony Music Entertainment. Vevo only hosts music videos from artists signed to Universal Music Group and Sony Music Entertainment (such as Taylor Swift, Drake and Adele), and those videos are syndicated on YouTube.
The basic difference between YouTube and Vevo is who has access to uploading videos. Anyone on YouTube can upload a video to YouTube’s main site. This isn’t true for Vevo. Vevo is specifically run by administrators who upload videos to the website and the Vevo YouTube channel. That means people who have access to Vevo’s platform, which is syndicated on YouTube, may not have access to the rest of YouTube overall. All of the videos involved in this hack were uploaded to Vevo’s servers.
This also isn’t the first time Vevo has been hacked. Vevo was hacked in September 2017, where roughly “3.12TB worth of internal files” were published online, according to Gizmodo. The attack was coordinated by OurMine, the same group behind the BuzzFeed and TechCrunch hacks, as well as that of Facebook CEO Mark Zuckerberg’s Twitter and Pinterest accounts.
That attack, which targeted the company’s internal documents, didn’t affect YouTube either.
It’s easy to look at Vevo and YouTube as being one company. Vevo accounted for “50 million unique views on YouTube in May 2013, the highest rate of any content partner,” according to The Next Web. That number only continued to grow — “Despacito” is currently the most-watched video on YouTube, with more than 5.02 billion views since its debut in January 2017. YouTube purchased a 7 percent stake in the company in 2013.
While Vevo is investigating the hack, and YouTube is helping Vevo understand what happened, it’s important to note that this wasn’t an attack on YouTube specifically.
Professor Alan Woodward, a cybersecurity expert from Surrey University, told the BBC the hack must have come from stolen authorization codes, as it’s unlikely the company’s servers would have been accessible otherwise.
“To upload and alter video content with code you should require an authorisation token,” Woodward told the BBC. “So, either this hacker has found a way around that need for authorisation, or they are being economical with the facts, or they obtained the permissions in some other way.”
Many of the videos targeted in the original attack have been re-uploaded to YouTube at this time — including “Despacito.”