{ "id": "f5792b67-b636-4f25-97b2-ed0e4b890944", "created_at": "2026-04-06T00:13:20.353864Z", "updated_at": "2026-04-10T03:38:19.305168Z", "deleted_at": null, "sha1_hash": "375a04e09c3d2abe7899d21996e1b6c3e108d1e0", "title": "Welp, Vevo Just Got Hacked", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 37156, "plain_text": "Welp, Vevo Just Got Hacked\r\nBy Dell Cameron\r\nPublished: 2017-09-15 · Archived: 2026-04-05 12:58:31 UTC\r\nAnother day, another multinational video service brought to its knees by a group of rogue hackers with a bone to\r\npick.\r\nVevo, the joint venture between Universal Music Group, Sony Music Entertainment, Abu Dhabi Media, Warner\r\nMusic Group, and Alphabet Inc. (Google’s parent company), was just hacked. Roughly 3.12TB worth of internal\r\nfiles have been posted online, and a couple of the documents reviewed by Gizmodo appear sensitive.\r\nThe OurMine hacker squad has claimed responsibility for the breach. The group is well known: They hijacked\r\nWikiLeaks’ DNS last month shortly after they took over HBO’s Twitter account; last year, they took over Mark\r\nZuckerberg’s Twitter and Pinterest accounts; and they hit both BuzzFeed and TechCrunch not long after that.\r\nThe leaked cache contains a wide variety of office documents, videos, and other promotional materials. Based on\r\na cursory review, a majority of the files seemed pretty mild—weekly music charts, pre-planned social media\r\ncontent, and various details about the artists under the record companies’ management.\r\nBut not all of the material was quite so benign. Vevo’s UK office will probably want to get this alarm code\r\nchanged as soon as possible:\r\nOurMine typically hacks people because, well, it can. The group’s primary goal is demonstrating to companies\r\nthat they have weak security. In this case, the hackers managed to compromise an employee account for Okta, the\r\nsingle sign-on workplace app. Usually they don’t resort to leaking large caches of files—at least to our knowledge\r\n—but in this case it sounds like someone may have pissed them off.\r\nIn a post late Thursday, OurMine claimed it leaked Vevo’s files after reaching out to one of the company’s\r\nemployees and being told to “fuck off.” But they informed Gizmodo by email: “If they asked us to remove the\r\nfiles then we will.”\r\nOf course, Sony (one of Vevo’s joint owners) fell victim to a devastating hack in 2014 after a group of hackers\r\ncalling themselves the “Guardians of Peace” dumped a wealth of its confidential data online. US intelligence\r\nagencies pinned the breach on North Korea (one of the hacking group’s demands was that Sony pull The\r\nInterview, Seth Rogan’s comedy about a plot to assassinate Kim Jong-Un.)\r\nAccording to Business Insider, Vevo locked up nearly $200 million in year long ad commitments this year, thanks\r\nto artists like Beyonce, Taylor Swift, and Ariana Grande helping generate some 25 million daily views. They\r\nmight consider spending some of those earnings on beefing up their security. This could’ve been a lot worse.\r\nWe’ve reached out to Vevo, Sony, Warner, Universal, and Google for comment. We’ll update if we hear anything\r\nback.\r\nhttps://gizmodo.com/welp-vevo-just-got-hacked-1813390834\r\nPage 1 of 2\n\nUpdate 9/15/17 12:40am ET: Responding to our inquiry, a Vevo spokesperson told Gizmodo that the company\r\n“can confirm that Vevo experienced a data breach as a result of a phishing scam via Linkedin. We have addressed\r\nthe issue and are investigating the extent of exposure.”\r\nAdditional reporting by Bryan Menegus\r\nSource: https://gizmodo.com/welp-vevo-just-got-hacked-1813390834\r\nhttps://gizmodo.com/welp-vevo-just-got-hacked-1813390834\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://gizmodo.com/welp-vevo-just-got-hacked-1813390834" ], "report_names": [ "welp-vevo-just-got-hacked-1813390834" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "e4ccfe5c-4d77-4503-bf1c-36076dbd78d0", "created_at": "2022-10-25T16:07:24.522697Z", "updated_at": "2026-04-10T02:00:05.02215Z", "deleted_at": null, "main_name": "OurMine", "aliases": [ "ATK 128", "TAG-HA10" ], "source_name": "ETDA:OurMine", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "74f1da67-5bc9-49ee-ba8e-b7e8b452a2c2", "created_at": "2023-01-06T13:46:39.021238Z", "updated_at": "2026-04-10T02:00:03.183989Z", "deleted_at": null, "main_name": "OurMine", "aliases": [], "source_name": "MISPGALAXY:OurMine", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434400, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/375a04e09c3d2abe7899d21996e1b6c3e108d1e0.pdf", "text": "https://archive.orkl.eu/375a04e09c3d2abe7899d21996e1b6c3e108d1e0.txt", "img": "https://archive.orkl.eu/375a04e09c3d2abe7899d21996e1b6c3e108d1e0.jpg" } }