Cyber Incident Victim: Vevo LLC
Date:
Apr 2022
Location:
Spain
Summary
A multinational video hosting service experienced unauthorized access to multiple high-profile artist channels, resulting in altered video titles and uploads of unauthorized content promoting a group demanding a prisoner's release. The compromised channels, representing artists with hundreds of millions of subscribers, were restored after improper uploads were deleted, with the company initiating a security system review. The attackers claimed responsibility via social media, stating they exclusively targeted private entities while circulating demands related to a Spanish fraud case. No pre-existing content was accessed during the incident, which involved coordinated takeovers across numerous artist accounts managed through the platform's content provider model.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 5, 2022, Vevo announced an investigation following unauthorized access to YouTube channels of multiple high-profile artists, including Rihanna, Justin Bieber, Taylor Swift, Kanye West, Drake, Eminem, Michael Jackson, Ariana Grande, Harry Styles, Travis Scott, The Weeknd, and Lil Nas X. An unidentified actor uploaded new music videos or altered existing video titles across these channels. The uploaded content included videos featuring IShowSpeed, a gamer and musician, and titles referencing "Free Paco Sanz" – a Spanish fraud convict – alongside claims like "hacked by @LOSPELAOSBRO." YouTube users first detected the breach through notifications of unexpected uploads from official artist channels, prompting public reports on social media platforms like Twitter. Vevo confirmed the incident, stating that improperly uploaded videos were deleted and that no pre-existing content was compromised. The company secured the affected channels but declined to specify how the breach occurred or whether user data was accessed.
The hacking group "@LOSPELAOSBRO," identifying as "Los Pelaos," claimed responsibility via Twitter, demanding Paco Sanz's release from prison and soliciting suggestions for additional targets. Their Twitter activity escalated during the incident, announcing successive compromises of channels belonging to Playboi Carti, Daddy Yankee, Cardi B, Rihanna, J Balvin, Ariana Grande, and Migos. The group explicitly stated they targeted only private companies, not governments. Videos uploaded during the breach featured collaborative titles with fictitious artists (e.g., "Justin Bieber – Free Paco Sanz (ft. Will Smith, Chris Rock)") and declarations of control (e.g., "No Doubt - no me retiro era broma @lospelaosbro"). Universal Music Group, representing several affected artists, deferred inquiries to Vevo. YouTube’s parent company Google did not publicly comment, though its Threat Analysis Group had previously disrupted similar phishing campaigns against YouTubers in October 2021. The incident impacted channels with cumulative subscribers numbering in the hundreds of millions, though no data theft or permanent content loss occurred. Vevo confirmed a security systems review as a precautionary measure but provided no further details on mitigation steps or forensic findings. The "@LOSPELAOSBRO" account retained over 15,000 followers post-incident despite the removal of all unauthorized videos.