Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 8 submissions in the queue.
posted by Fnord666 on Thursday September 26 2019, @10:31AM   Printer-friendly
from the another-day-another-hack dept.

Submitted via IRC for SoyCow2718

Security Warning For 23 Million YouTube Creators Following 'Massive' Hack Attack

High-profile YouTubers have been targeted by cybercriminals over the weekend in what appears to have been a highly coordinated and "massive" attack. The security warning was made by Catalin Cimpanu, a ZDNet reporter, who spoke to a member of an internet forum with a history of trading access to hacked accounts. Here's what we know so far and what you need to do to protect your own YouTube account.

According to the ZDNet investigation, many accounts belonging to well-known YouTubers within the car community appear to have been hijacked. However, it would also appear the attack itself has been directed mostly towards "influencers" across many YouTube channel genres. Amongst those taking to Twitter to complain about their YouTube accounts being hacked and access to their channels lost, were YouTubers covering technology, music, gaming and Disney. With more than 23 million YouTube channels, anyone who creates content should be heeding this warning though.


Original Submission

Related Stories

YouTube Channel Linus Tech Tips Terminated After It Was Hacked to Show Crypto-Scam Videos 9 comments

https://www.techspot.com/news/98047-youtube-channel-linustechtips-terminated-after-hacked-show-crypto.html

What just happened? Linus Tech Tips, one of the largest and most popular technology YouTube channels on the platform, has been hacked. It was used by the hackers to show pre-recorded 'live-streaming' crypto-scam videos, featuring former Twitter CEO Jack Dorsey and Tesla CEO Elon Musk. The channel is now showing a message stating it has been shut down for violating YouTube's community guidelines, but it appears Linus' other channels are also being abused.

Linus Sebastian's Linus Tech Tips YouTube channel has been running since 2008 and has amassed 15.8 million subscribers. The Canadian has several channels under the Linus Media Group banner, including TechLinked, but the main one remains the most popular. Sadly for all involved, it's become the latest high-profile channel to be hacked.
[...]
YouTube has shuttered the channel for violating its guidelines, but it seems the hackers have now gone after other Linus Media Group accounts. TechLinked has been renamed Tesla and is showing the same Musk livestream.
[...]
While all the content from the channels has been deleted, Linus previously created several videos showing off the high-end hardware used to store the terabytes of backups the company created over the years.

[UPDATE: After taking back control of the channels, he released a video explaining how it all went down by way of a little bit of social engineering resulting in the attacker gaining their browser session token --hubie]

Also:
Linus Tech Tips YouTube Channel Hacked to Promote Crypto Scams
Linus Tech Tips YouTube Channel Is Down After Crypto Scammer Hack
VERGE STUPIDLY MAKES THEIR TITLES IMAGES NOW (Though, it could just be the one article. This is also an article on the Linus Tech Tips YouTube channel hack.)

Related:
Live Show on Improving Your Security -- Wednesday June 3rd, 2020 (NCommander - 2020)
Security Warning For 23 Million YouTube Creators Following 'Massive' Hack Attack (2019)


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1, Insightful) by Anonymous Coward on Thursday September 26 2019, @12:46PM (2 children)

    by Anonymous Coward on Thursday September 26 2019, @12:46PM (#899068)

    and Everything you need to know. I can't stand articles with these beginning sentences. Like I'm a child and need information cultivated and spoon fed to me. Can't anyone write something in the "traditional" style?

    • (Score: 1, Interesting) by Anonymous Coward on Thursday September 26 2019, @02:49PM

      by Anonymous Coward on Thursday September 26 2019, @02:49PM (#899122)

      Seconded - I thought I was the only one getting annoyed at that

    • (Score: 4, Funny) by stormreaver on Thursday September 26 2019, @07:38PM

      by stormreaver (5101) on Thursday September 26 2019, @07:38PM (#899274)

      Can't anyone write something in the "traditional" style?

      How's this:

      "You Won't Believe How 23 Million Youtubers Got Hacked Using This One Weird Trick!"

  • (Score: 2, Insightful) by Anonymous Coward on Thursday September 26 2019, @01:56PM (1 child)

    by Anonymous Coward on Thursday September 26 2019, @01:56PM (#899088)

    And nothing was lost.

    • (Score: 2, Disagree) by ikanreed on Thursday September 26 2019, @03:24PM

      by ikanreed (3164) Subscriber Badge on Thursday September 26 2019, @03:24PM (#899156) Journal

      If every one of those people lost their social media accounts forever, the world would be a better place.

  • (Score: 5, Informative) by rob_on_earth on Thursday September 26 2019, @02:09PM (5 children)

    by rob_on_earth (5485) on Thursday September 26 2019, @02:09PM (#899098) Homepage

    According to tFA and the embed YouTube on that page, all the channel owners clicked a phishing link in an email that appeared to be from other channel owners and they entered their usernames and passwords.

    This then begs the question, if they all had 2FA enabled how did the baddies get control of their accounts with just a valid username and password.

    and it appears the hackers changed the channel vanity URI and did not delete the channels, but this meant viewers could not find them.

    • (Score: 4, Informative) by aristarchus on Thursday September 26 2019, @08:04PM (4 children)

      by aristarchus (2645) on Thursday September 26 2019, @08:04PM (#899284) Journal

      This then begs the question,

      Oh, crap, not again! No, it does not "beg the question".
      https://begthequestion.info/ [begthequestion.info]

      • (Score: 3, Touché) by curunir_wolf on Thursday September 26 2019, @08:24PM (2 children)

        by curunir_wolf (4772) on Thursday September 26 2019, @08:24PM (#899296)

        Give it up, dude. The usage and meaning of the phrase has changed. That happens in languages.

        Sorry you're so upset about it. I don't worry, myself, I'm quite gay.

        --
        I am a crackpot
        • (Score: 2) by c0lo on Thursday September 26 2019, @10:21PM

          by c0lo (156) Subscriber Badge on Thursday September 26 2019, @10:21PM (#899326) Journal

          The usage and meaning of the phrase has changed...
          ...I don't worry, myself, I'm quite gay.

          👍👍👍👍👍

          --
          https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
        • (Score: 3, Funny) by aristarchus on Friday September 27 2019, @08:10AM

          by aristarchus (2645) on Friday September 27 2019, @08:10AM (#899474) Journal

          And I am quite happy for you! But as a Logician, "This Shall Not Pass!!" (It's a neckbeard wizard thing). The change in this case is based on semi-literacy and ignorance. If you mean "begs for the question to be asked/raised", then, say that. But to use "question begging" in this sense is something of a damp squid. [wikipedia.org] I mean to say, the usage does not pass the mustard! It is kind of like a bowl in a China shop [chronicle.com] and a "mute point". Only someone lacking toast and intolerant would think this is a normal change of language. There is a database [lascribe.net], you know. . . But perhaps it is all for knot.

      • (Score: 3, Touché) by PartTimeZombie on Thursday September 26 2019, @09:45PM

        by PartTimeZombie (4827) on Thursday September 26 2019, @09:45PM (#899313)

        No, it does not "beg the question".

        Your post begs the question: "Why is there no +1 Pedant mod?".

  • (Score: 2) by jmichaelhudsondotnet on Thursday September 26 2019, @02:27PM (5 children)

    by jmichaelhudsondotnet (8122) on Thursday September 26 2019, @02:27PM (#899110) Journal

    Yeah, so maybe you should start listening.

    Google itself is not secure, united states or israeli spies have the capacity to just do this with the basic access they have, and they have every interest in doing so at this point.

    Why people think google admins are above this type of suspicion just because of branding, in 2019, is pretty pretty absurd. When you use a platform like that, you have no actual thing to trust besides this name. It is literally like trying to stand on a cloud, there is no there there, you fall right through till you hit the ground at high velocity.

    If that many accounts can be hacked at once, at all, the entire company is incompetent, not a market leader, and anyone using it from here on out will be willfully, intentionally choosing this for themselves. I already think they are.

    Every source of alternative credibility is being attacked.

    Get. It. Through. Your. Head.

    thesesystemsarefailing.net

    • (Score: -1, Troll) by Anonymous Coward on Thursday September 26 2019, @02:37PM (4 children)

      by Anonymous Coward on Thursday September 26 2019, @02:37PM (#899113)

      I'm passing gas. A lot of gas. Does this make me an "influencer"?

      • (Score: 0) by Anonymous Coward on Thursday September 26 2019, @03:41PM (3 children)

        by Anonymous Coward on Thursday September 26 2019, @03:41PM (#899166)

        If you're not part of the solution, then you are part of the pollution!

        • (Score: 2) by Runaway1956 on Thursday September 26 2019, @04:08PM (2 children)

          by Runaway1956 (2926) Subscriber Badge on Thursday September 26 2019, @04:08PM (#899182) Journal

          But, my gas goes into solution, in the atmosphere.

          --
          We've finally beat Medicare! - Houseplant in Chief
          • (Score: 0) by Anonymous Coward on Thursday September 26 2019, @10:01PM

            by Anonymous Coward on Thursday September 26 2019, @10:01PM (#899320)

            Is it the final solution?

          • (Score: 2) by Webweasel on Friday September 27 2019, @10:01AM

            by Webweasel (567) on Friday September 27 2019, @10:01AM (#899495) Homepage Journal

            Gas, gas, gas I'm gonna step on the gas.

            --
            Priyom.org Number stations, Russian Military radio. "You are a bad, bad man. Do you have any other virtues?"-Runaway1956
  • (Score: 2) by stretch611 on Thursday September 26 2019, @09:16PM (1 child)

    by stretch611 (6199) on Thursday September 26 2019, @09:16PM (#899306)

    Let this hack remove Ninja [youtube.com] from the internet.

    (Damn when looking up a link, I realized he is on twitch as well... so hopefully that will be hacked too.)

    --
    Now with 5 covid vaccine shots/boosters altering my DNA :P
  • (Score: 2) by RedBear on Friday September 27 2019, @04:11AM (1 child)

    by RedBear (1734) on Friday September 27 2019, @04:11AM (#899425)

    Getting 2FA codes over SMS makes 2FA basically useless. There are multiple ways to intercept the SMS messages and get the 2FA code. It’s virtually guaranteed that everyone who was hacked was using SMS to get their 2FA codes, if they even had 2FA enabled at all.

    I had an important account at an organization that should know better. I did the responsible thing and tried to enable their “extra security” option, but when I realized that the only implemented method to obtain security codes was via SMS I immediately disabled the extra security because it was utterly pointless. For that account I just have to use a heavy duty password and rely on myself to avoid getting phished.

    Every other service I’ve activated 2FA on supports one-time-use backup codes, authenticator apps, and most finally are supporting physical U2F keys. None of those methods should be easy for phishers to bypass. But SMS, pffft! It shouldn’t even be an option anymore. If it was disabled this kind of hack would basically just... stop.

    --
    ¯\_ʕ◔.◔ʔ_/¯ LOL. I dunno. I'm just a bear.
    ... Peace out. Got bear stuff to do. 彡ʕ⌐■.■ʔ
    • (Score: 2) by Pino P on Friday September 27 2019, @01:41PM

      by Pino P (4721) on Friday September 27 2019, @01:41PM (#899548) Journal

      Every other service I’ve activated 2FA on supports one-time-use backup codes, authenticator apps, and most finally are supporting physical U2F keys.

      But do other services supporting 2FA allow you to enroll one-time-use backup codes, TOTP apps, and U2F keys without first enrolling SMS and keeping it enrolled? Twitter and Twitch do not.

(1)