Security Experts:

Hundreds of NBC Universal's Webpages Defaced

Hundreds of webpages maintained by NBC Universal were defaced over the weekend, by a hacker going by the name of “pyknik.” In addition to NBC, this attacker also targeted a Lady Gaga fan site. Web software used by both domains is speculated to be the primary source of access used in the attack.

On Sunday, NBC’s Web properties, including sub domains supporting Saturday Night Live, The Voice, The Apprentice, Tonight Show with Jay Leno, and Late Night with Jimmy Fallon, were defaced and replaced with a Guy Fawkes Day poem and low grade rap song.

“Remember, remember, the fifth of November...,” the rhyme included with the defacement stated, while shouts were given to friends of “pykink.” While there has been no proof presented, the defacement message reported that user information and passwords were exposed and dumped.

There has been speculation that a recently patched vulnerability in Invision Power Service’s (IPS) community platform, which is used by both of the attacked domains, was the source of the attacker’s access. The software was patched last month, but neither domain was using the current version of the software. Other than for the ‘lulz,’ there appears to be no logic behind the attack. Online, some called out the Guy Fawkes reference as a marker that Anonymous was responsible, a claim they quickly denied through their more vocal accounts on Twitter.

NBC restored the hijacked pages quickly, and in a statement confirmed that the domains were “defaced for a brief amount of time.” The entertainment and broadcasting company made no mention of the defacement’s claims of data compromise.

In addition to NBC’s domain, Gaga Daily, a Lady Gaga fan site, was also defaced with the same message, including the poor quality rapping and overuse of the “marquee” tag. The Gaga fan site was also restored quickly after a brief outage.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.