Vevo, the online music video service owned by the big record companies with support from Google LLC, has been hacked, with the data stolen finding its way online — at least briefly.

The Ourmine hacking group took responsibility for the hack and initially posted the data on its website. The stolen data included documents and promotional details about the videos shown on the site, private social media marketing information, confidential artist data and even the code of the alarm system at the Vevo office in New York City. Weirdly, the data was later deleted from the site “because of a request from Vevo,” Ourmine claimed.

Ourmine, for those who don’t follow hacking news, is the same group behind the hack of Facebook Inc. Chief Executive Mark Zuckerberg, Google Inc. CEO Sundar Pichai, Oculus CEO Brendan Iribe, a number of YouTube stars, the PlayStation Network and most recently Wikileaks.

The hack itself consisted of the group successfully targeting a Vevo employee in a phishing attack, delivering the group employee-level access to Vevo’s backend.

Expanding on the attack vector, Phil Tully, principal data scientist at security firm ZeroFOX Inc., told SiliconANGLE that the phishing attack came via LinkedIn, “demonstrating again that social media is an effective vector” for launching targeted attacks.

“Already this summer, attackers have successfully used similarly fake social accounts to persuade employees at oil and gas companies, a cybersecurity firm and a government department to open malicious attachments designed to take control of victims’ devices,” Tully said. “In this newest incident, once hackers gained access to a Vevo employee’s social media account, they were able to obtain and publicly release 3.12 terabytes worth of the company’s sensitive internal data.”

Tully noted that phishing attacks using social media are highly effective as they allow hackers to create “believable online identities and interactions, which can help users build credibility and trust with their real-world peers.”

To reduce exposure to phishing attacks, Tully recommends that users limit their social media interactions to people they’re sure they can trust and to make sure the person is either someone they’ve met or have mutual connections in their profile, as well as avoid clicking on links or downloading file attachments sent via social media.

Tully also recommends that users do something few do today and that’s enabling two-factor authentication on all social accounts. “This provides another barrier of protection should an attacker ever steal your credentials,” he said. “Many social networks can now require a code be sent to your phone or via email when they detect a new browser or device attempting to access your account, so be on the lookout for any sort of suspicious activity.”

Image: Ourmine/screenshot