Early today an anonymous user was able to modify the title and alt text fields attached to a file entity that was a link to a YouTube video. I cannot figure out which module allowed the intrusion, but suffice to say that only specific roles have permission to add/edit files, use the internet_sources, youtube, media, file_entity, and other modules that might be related to this breach.
The hack came from 5.188.211.11, a domain registered in St. Petersburg, Russia. The log entry follows:

Type	file
Date	Sunday, February 19, 2017 - 1:37am
User	Guest
Location	[homepage]
Referrer	[path]/edit?destination=kc-home-page
Message	Video: updated JimmiXzSw.
Severity	notice
Hostname	5.188.211.11

I found some reports of hacks from this domain beginning in January.

Comments

rsbecker created an issue. See original summary.

cilefen’s picture

cilefen CreditAttribution: cilefen commented

See https://www.drupal.org/node/101494

Version: 7.53 » 7.x-dev

Core issues are now filed against the dev versions where changes will be made. Document the specific release you are using in your issue comment. More information about choosing a version.