Home / News & Analysis / Vevo Hack Sees 3TB of Internal Files Posted Online

Vevo Hack Sees 3TB of Internal Files Posted Online

Vevo will be a name well-known to anyone who enjoys watching the latest music videos on YouTube. It's a joint venture created by Universal Music Group, Sony Music Entertainment, and Warner Music Group to act as a video hosting service.

On Friday, it was revealed that Vevo had suffered a massive hack courtesy of the hacking group known as OurMine. You may remember they hacked the Netflix US Twitter account last December. In total, some 3.12TB of data was stolen from Vevo's internal systems. That data was later shared online for all to see.

Vevo relies on Okta as a way for employees to securely sign in to its systems. What OurMine managed to do was successfully carry out a phishing scam via Linkedin, which netted them a legitimate Okta login and access to Vevo's internal files.

According to Gizmodo, OurMine isn't one to leak files after a hack without good reason. The group's main goal is to demonstrate how weak security if for different organizations and then inform the organization. However, in this case when they contacted Vevo regarding the files they had, they were told to "f*** off." And so the files were leaked instead, but with OurMine noting they will take the files down if Vevo asks.

Related

With so much data leaked it's going to take a while for interested parties to look through it all in detail. But for the most part, the files only seem to relate to marketing, music chart information, and artist details. There's a few documents that need acting on, for example, one detailing how to set and unset the alarm at Vevo's UK office.

Vevo confirmed to Gizmodo that the breach happened and an investigation is under way. Hopefully that results in better security around its systems and a better response to OurMine asking them to take the files offline.

Read more

Check Also

Does Google’s Duplex violate two-party consent laws?

Google’s Duplex, which calls businesses on your behalf and imitates a real human, ums and ahs included, has sparked a bit of controversy among privacy advocates. Doesn’t Google recording a person’s voice and sending it to a data center for analysis violate two-party consent law, which requires everyone in a conversation to agree to being recorded? The answer isn’t immediately clear, and Google’s silence isn’t helping. Let’s take California’s law as the example, since that’s the state where Google is based and where it used the system. Penal Code section 632 forbids recording any “confidential communication” (defined more or less as any non-public conversation) without the consent of all parties. (The Reporters Committee for the Freedom of the Press has a good state-by-state guide to these laws.) Google has provided very little in the way of details about how Duplex actually works, so attempting to answer this question involves a certain amount of informed speculation. To begin with I’m going to consider all phone calls as “confidential” for the purposes of the law. What constitutes a reasonable expectation of privacy is far from settled, and some will have it that you there isn’t such an expectation when making an appointment with a salon. But what about a doctor’s office, or if you need to give personal details over the phone? Though some edge cases may qualify as public, it’s simpler and safer (for us and for Google) to treat all phone conversations as confidential. What we know about Google’s Duplex demo so far As a second assumption, it seems clear that, like most Google services, Duplex’s work takes place in a data center somewhere, not locally on your device. So fundamentally there is a requirement in the system that the other party’s audio will be recorded and sent in some form to that data center for processing, at which point a response is formulated and spoken. On its face it sounds bad for Google. There’s no way the system is getting consent from whomever picks up the phone. That would spoil the whole interaction — “This call is being conducted by a Google system using speech recognition and synthesis; your voice will be analyzed at Google data centers. Press 1 or say ‘I consent’ to consent.” I would have hung up after about two words. The whole idea is to mask the fact that it’s an AI system at all, so getting consent that way won’t work. But there’s wiggle room as far as the consent requirement in how the audio is recorded, transmitted and stored. After all, there are systems out there that may have to temporarily store a recording of a person’s voice without their consent — think of a VoIP call that caches audio for a fraction of a second in case of packet loss. There’s even a specific cutout in the law for hearing aids, which if you think about it do in fact do “record” private conversations. Temporary copies produced as part of a legal, beneficial service aren’t the target of this law. This is partly because the law is about preventing eavesdropping and wiretapping, not preventing any recorded representation of conversation whatsoever that isn’t explicitly authorized. Legislative intent is important. “There’s a little legal uncertainty there, in the sense of what degree of permanence is required to constitute eavesdropping,” said Mason Kortz, of Harvard’s Berkman Klein Center for Internet & Society. “The big question is what is being sent to the data center and how is it being retained. If it’s retained in the condition that the original conversation is understandable, that’s a violation.” For instance, Google could conceivably keep a recording of the call, perhaps for AI training purposes, perhaps for quality assurance, perhaps for users’ own records (in case of time slot dispute at the salon, for example). They do retain other data along these lines. But it would be foolish. Google has an army of lawyers and consent would have been one of the first things they tackled in the deployment of Duplex. For the onstage demos it would be simple enough to collect proactive consent from the businesses they were going to contact. But for actual use by consumers the system needs to engineered with the law in mind. What would a functioning but legal Duplex look like? The conversation would likely have to be deconstructed and permanently discarded immediately after intake, the way audio is cached in a device like a hearing aid or a service like digital voice transmission. A closer example of this is Amazon, which might have found itself in violation of COPPA, a law protecting children’s data, whenever a kid asked an Echo to play a Raffi song or do long division. The FTC decided that as long as Amazon and companies in that position immediately turn the data into text and then delete it afterwards, no harm and, therefore, no violation. That’s not an exact analogue to Google’s system, but it is nonetheless instructive. “It may be possible with careful design to extract the features you need without keeping the original, in a way where it’s mathematically impossible to recreate the recording,” Kortz said. If that process is verifiable and there’s no possibility of eavesdropping — no chance any Google employee, law enforcement officer or hacker could get into the system and intercept or collect that data — then potentially Duplex could be deemed benign, transitory recording in the eye of the law. That assumes a lot, though. Frustratingly, Google could clear this up with a sentence or two. It’s suspicious that the company didn’t address this obvious question with even a single phrase, like Sundar Pichai adding during the presentation that “yes, we are compliant with recording consent laws.” Instead of people wondering if, they’d be wondering how. And of course we’d all still be wondering why. We’ve reached out to Google multiple times on various aspects of this story, but for a company with such talkative products, they sure clammed up fast.

Leave a Reply

Your email address will not be published. Required fields are marked *

Disclaimer: Trading in bitcoins or other digital currencies carries a high level of risk and can result in the total loss of the invested capital. theonlinetech.org does not provide investment advice, but only reflects its own opinion. Please ensure that if you trade or invest in bitcoins or other digital currencies (for example, investing in cloud mining services) you fully understand the risks involved! Please also note that some external links are affiliate links.