"A Pop Star Wants You in their New Video..."

YouTube channels of Taylor Swift, Justin Bieber, Harry Styles, and other musicians compromised

Some of the biggest stars around have seen content placed on their YouTube accounts without permission over the last couple of days. Taylor Swift has around 40 million subscribers. Justin Bieber? 68 million. Harry Styles, a respectable 12 million. You can even add Eminem and Michael Jackson to the list of those taken over.

Big names, and even bigger numbers.

The last time I can remember an all-out targeted attack on social media musicians was way back in 2007during Ye Olde Myspace days. While the threat for mischief there was big, this new attack far surpassed it in terms of people seeing dubious content.

Using Vevo as a stepping-stone to musician channels

According to The Record, the attack specifically targeted accounts using Vevo. The people behind it didn’t promote malware links, or spam, or phishing. Instead, they opted to post about a bizarre scaminvolving a security guard.

The scam involved a man claiming to have “2,000 tumours”, sentenced to 2 years in jail for grabbing around $319,000 in donationsfor his non-existent terminal illness. The group claiming to be behind the compromise demanded he be set freevia their Twitter account.

If you’ve ever watched a music video from a major artist, there’s a good chance you’ll have seen the Vevo logo in the bottom right hand corner. This is the Vevo channel, where content is uploaded. As Gizmodo notes, videos are merged with the musician’s separate YouTube channel. Existing YouTube accounts can also be merged to create Official Artist Channels.

Speaking to The Verge, Vevo said “Some videos were directly uploaded to a small number of Vevo artist channels earlier today by an unauthorized source.”

This is what Vevo’s FAQ pagehas to say on the subject of how uploads work:

Vevo does not provide access directly to artists. If your music videos have been delivered to Vevo, you must work with your existing Content Provider/Label who will have access to perform these updates.

What about yourYouTube security?

You may not be a multi-million album seller signed up to Vevo on YouTube, but you still need to lock down your YouTube account. Any compromise can lead to masses of spam or videos leading users off-site to phishing or malware.

Signing into YouTube requires a Google account. As such, good Google security hygiene means good YouTube security hygiene too. We’ve covered many Google-centric security concerns previously, but here’s some things you can do now to lock down your account:

  • Create a strong password, and enable two-factor authentication (2FA). Use the Google Auth app for 2FA rather than SMS codes, this will help you avoid the threat of SIM-swap attacks.
  • Don’t share sign-in informationwith others. If someone contacts you promising riches beyond your wildest dreams, they may ask for your login details to set up some sort of “affiliate” or partnership status. This is a bad idea, and you shouldn’t do it.
  • Use Google’s security checkup. This informs you at a glance about recent login activity, device sign-ins, Gmail settings, and more. It’s a handy, focused way to make sense of the sometimes overwhelming range of options available.
  • Remove sites and apps you don’t needor recognise. As with many social accounts, you’re able to connect to a variety of services. View connected apps here.
  • Keep an eye on the commentsposted to your videos. There’s a lot of spam out there and it may sully your reputation if followers end up in bad places via your content.

This should be enough to get your account moving to a place where it’s a lot more secure than before. While the chance of you being hit by an attack like the one above targeting very well known accounts is low, people regularly look to hijack regular YouTube accounts. Let’s not make it easy for them!


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.