Multiple accounts have had bizarre videos uploaded, one of which is entitled ‘Justin bieber – Free Paco Sanz (ft. Will Smith, Chris RockSkinny flex & Los Pelaos)’.
Paco Sanz is a Spanish criminal currently in prison for defrauding thousands of people by pretending to have a terminal illness.
The video features Sanz holding a guitar the wrong way around and singing in Spanish, overdubbed with some heavy synthesized beats.
Screenshot from Travis Scott’s YouTube account appears to show Spanish criminal Paco Sanz holding the guitar the wrong way around
– Justin Bieber
– Ariana Grande
– Harry Styles
– Michael Jackson
– Travis Scott
– Kanye West
– Lil Nas X
– Chris Brown
– The Weeknd
– Daddy Yankee
– Juice Wrld
… and possibly more
The reference to Will Smith and Chris Rock in the title may just be a way to get clicks, following the ‘slapgate’ scandal involving the two actors at the Oscars last month.
Twitter account @lospelaosbro (which takes its name from a Latin pop group) claimed responsibility the hacks in a flurry of tweets, in which he asked for suggestions on who to hack next, along with various photos of what seems to be Paco Sanz.
The identity of @lospelaosbro is unknown. The Twitter account was started only this month, but already has more than 7,500 followers.
MailOnline contacted Google, which owns YouTube, for information on why the videos started appearing, and how the accounts may have been compromised.
Vevo, known for providing music videos to YouTube, confirmed the hack to MailOnline, saying some videos were directly uploaded to ‘a small number’ of Vevo artist channels by ‘an unauthorised source’.
‘All of those improperly uploaded videos have since been deleted by Vevo,’ a Vevo spokesperson said.
‘While the artist channels have been secured and the incident has been resolved, as a best practice Vevo will be conducting a review of our security systems.’
According to Business Insider@lospelaosbro’s Paco Sanz video was online for almost an hour before being taken off the various YouTube channels.
Another video, posted to Harry Styles’ YouTube channel among others, is titled ‘Daddy Yankee – SPEED IS THE BEST HACKED BY @LOSPELAOSBRO ON TWITTER’.
It features a group of young men wearing hoodies with the word ‘speed’ on the front, dancing outdoors to an adapted version of ‘Hit the Road Jack’.
The hackers also uploaded a song called ‘La Raja de Tu Falda’ by Spanish rock duo Estopa to Michael Jackson’s YouTube channel with a new title – ‘i like ki. ds @LOSPELAOSBRO’.
In a comment below one of the videos, a YouTuber simply said: ‘I always love it when an artist tries something new.’
The bizarre videos seemed to be getting deleted by the channels after being uploaded, but Twitter user @ZyxerY has posted a short clip of the Paco Sanz video.
Business Insider refers to @lospelaosbro as a ‘sh**posting’ account – meaning it posts nonsensical, irrelevant or deliberately provocative content on social media to get a reaction.
Graham Cluley, a computer expert and security blogger, said it’s possible that all these high-profile YouTubers are using the same third-party service to manage their social media activity.
The hacked channels belong to celebrities including Justin Bieber, Ariana Grande, Harry Styles, Travis Scott, Kanye West, Lil Nas X, Chris Brown, The Weeknd and more
WHAT IS SH**POSTING?
Sh**posting is a term recognised by the Oxford English Dictionary.
The entry for sh**posting reads: ‘To post a nonsensical, irrelevant, or deliberately provocative message, image, comment, etc., on social media..’
The sh**post is made especially with ‘the intention of amusing an in-group, eliciting a reaction, subverting a discussion, or distracting from the main conversation’, it says.
‘If that third-party service was hacked that could provide a way for someone to post videos in the names of celebrities,’ he told MailOnline.
‘Another possibility is that a YouTube employee with access to user’s accounts was themselves breached, and hackers used that privileged access to post videos.
‘I’m not aware of any specific YouTube vulnerability, although it’s possible one exists.
‘Fans of these celebrities would be wise not to take at face value any links or messages posted by these unorthodox videos, as they might be pointed to a scam, dodgy cryptocurrency investment, etc.’
Jake Moore, a cybersecurity advisor at ESET, also said the issue likely has something to do with a third-party company that manages such accounts.
‘I would suspect this could have something to do with shared online account credentials,’ he told MailOnline.
‘Even with multi factor authentication on, many high profile social media accounts are in fact looked after by a third party company and such accounts, once verified, may not always require log in details each time on the enabled device.
Twitter account @lospelaosbro is claiming the attacks in a flurry of tweets, and asking for suggestions who to hack next
In a comment below one of the videos, a YouTuber simply said: ‘I always love it when an artist tries something new’
‘Furthermore, accounts will be monitored and used by multiple people which it turn weakens security on such accounts.’
David Warburton, threat research manager at F5 Labs, said it’s ‘unlikely’ that YouTube has a vulnerability that has allowed celebrity accounts to be taken over.
‘The simple reason is that stealing Kanye’s password or sending Justin Bieber a phishing email is far simpler, and far more likely to work, than visibly attacking one of the largest websites on the planet,’ Warburton told MailOnline.
‘It’s more likely that the stars, or those managing their accounts, have failed to follow basic cybersecurity advice, including using unique passwords on every site they visit, and protecting everything with multi-factor authentication (MFA).’
ARE YOUR PASSWORDS AS SECURE AS YOU THINK THEY ARE? EXPERTS REVEAL HOW LONG IT WOULD TAKE A HACKER TO CRACK YOUR LOGINS – AND SAY ANY 8-CHARACTER CODE CAN BE GUESSED IN LESS THAN AN HOUR
We all assume hackers won’t crack our own passwords, even if they’re simple ones with only a few characters.
But just how easy is it for someone to break into an online login?
According to new research, anything with six characters, regardless of whether numbers and symbol are included, can be cracked instantly.
The same goes for anything that is seven or eight characters but made up of just numbers or lower case letters.
But the news doesn’t get much better for any eight character combination.
In fact, they can all be guessed in about 39 minutes according to US cybersecurity company Hive Systems, which is based in Richmond, Virginia.
Hive Systems made the colour-coded table for 2022, showing how safe users’ passwords really are.
The company said its data was ‘based on how long it would take a consumer-budget hacker to crack your password hash using a desktop computer with a top-tier graphics card’.