Submitted via IRC for SoyCow2718
Security Warning For 23 Million YouTube Creators Following 'Massive' Hack Attack
High-profile YouTubers have been targeted by cybercriminals over the weekend in what appears to have been a highly coordinated and "massive" attack. The security warning was made by Catalin Cimpanu, a ZDNet reporter, who spoke to a member of an internet forum with a history of trading access to hacked accounts. Here's what we know so far and what you need to do to protect your own YouTube account.
According to the ZDNet investigation, many accounts belonging to well-known YouTubers within the car community appear to have been hijacked. However, it would also appear the attack itself has been directed mostly towards "influencers" across many YouTube channel genres. Amongst those taking to Twitter to complain about their YouTube accounts being hacked and access to their channels lost, were YouTubers covering technology, music, gaming and Disney. With more than 23 million YouTube channels, anyone who creates content should be heeding this warning though.
Related Stories
What just happened? Linus Tech Tips, one of the largest and most popular technology YouTube channels on the platform, has been hacked. It was used by the hackers to show pre-recorded 'live-streaming' crypto-scam videos, featuring former Twitter CEO Jack Dorsey and Tesla CEO Elon Musk. The channel is now showing a message stating it has been shut down for violating YouTube's community guidelines, but it appears Linus' other channels are also being abused.
Linus Sebastian's Linus Tech Tips YouTube channel has been running since 2008 and has amassed 15.8 million subscribers. The Canadian has several channels under the Linus Media Group banner, including TechLinked, but the main one remains the most popular. Sadly for all involved, it's become the latest high-profile channel to be hacked.
[...]
YouTube has shuttered the channel for violating its guidelines, but it seems the hackers have now gone after other Linus Media Group accounts. TechLinked has been renamed Tesla and is showing the same Musk livestream.
[...]
While all the content from the channels has been deleted, Linus previously created several videos showing off the high-end hardware used to store the terabytes of backups the company created over the years.
[UPDATE: After taking back control of the channels, he released a video explaining how it all went down by way of a little bit of social engineering resulting in the attacker gaining their browser session token --hubie]
Also:
Linus Tech Tips YouTube Channel Hacked to Promote Crypto Scams
Linus Tech Tips YouTube Channel Is Down After Crypto Scammer Hack
VERGE STUPIDLY MAKES THEIR TITLES IMAGES NOW (Though, it could just be the one article. This is also an article on the Linus Tech Tips YouTube channel hack.)
Related:
Live Show on Improving Your Security -- Wednesday June 3rd, 2020 (NCommander - 2020)
Security Warning For 23 Million YouTube Creators Following 'Massive' Hack Attack (2019)
(Score: 1, Insightful) by Anonymous Coward on Thursday September 26 2019, @12:46PM (2 children)
and Everything you need to know. I can't stand articles with these beginning sentences. Like I'm a child and need information cultivated and spoon fed to me. Can't anyone write something in the "traditional" style?
(Score: 1, Interesting) by Anonymous Coward on Thursday September 26 2019, @02:49PM
Seconded - I thought I was the only one getting annoyed at that
(Score: 4, Funny) by stormreaver on Thursday September 26 2019, @07:38PM
How's this:
"You Won't Believe How 23 Million Youtubers Got Hacked Using This One Weird Trick!"
(Score: 2, Insightful) by Anonymous Coward on Thursday September 26 2019, @01:56PM (1 child)
And nothing was lost.
(Score: 2, Disagree) by ikanreed on Thursday September 26 2019, @03:24PM
If every one of those people lost their social media accounts forever, the world would be a better place.
(Score: 5, Informative) by rob_on_earth on Thursday September 26 2019, @02:09PM (5 children)
According to tFA and the embed YouTube on that page, all the channel owners clicked a phishing link in an email that appeared to be from other channel owners and they entered their usernames and passwords.
This then begs the question, if they all had 2FA enabled how did the baddies get control of their accounts with just a valid username and password.
and it appears the hackers changed the channel vanity URI and did not delete the channels, but this meant viewers could not find them.
(Score: 4, Informative) by aristarchus on Thursday September 26 2019, @08:04PM (4 children)
Oh, crap, not again! No, it does not "beg the question".
https://begthequestion.info/ [begthequestion.info]
(Score: 3, Touché) by curunir_wolf on Thursday September 26 2019, @08:24PM (2 children)
Give it up, dude. The usage and meaning of the phrase has changed. That happens in languages.
Sorry you're so upset about it. I don't worry, myself, I'm quite gay.
I am a crackpot
(Score: 2) by c0lo on Thursday September 26 2019, @10:21PM
👍👍👍👍👍
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Funny) by aristarchus on Friday September 27 2019, @08:10AM
And I am quite happy for you! But as a Logician, "This Shall Not Pass!!" (It's a neckbeard wizard thing). The change in this case is based on semi-literacy and ignorance. If you mean "begs for the question to be asked/raised", then, say that. But to use "question begging" in this sense is something of a damp squid. [wikipedia.org] I mean to say, the usage does not pass the mustard! It is kind of like a bowl in a China shop [chronicle.com] and a "mute point". Only someone lacking toast and intolerant would think this is a normal change of language. There is a database [lascribe.net], you know. . . But perhaps it is all for knot.
(Score: 3, Touché) by PartTimeZombie on Thursday September 26 2019, @09:45PM
Your post begs the question: "Why is there no +1 Pedant mod?".
(Score: 2) by jmichaelhudsondotnet on Thursday September 26 2019, @02:27PM (5 children)
Yeah, so maybe you should start listening.
Google itself is not secure, united states or israeli spies have the capacity to just do this with the basic access they have, and they have every interest in doing so at this point.
Why people think google admins are above this type of suspicion just because of branding, in 2019, is pretty pretty absurd. When you use a platform like that, you have no actual thing to trust besides this name. It is literally like trying to stand on a cloud, there is no there there, you fall right through till you hit the ground at high velocity.
If that many accounts can be hacked at once, at all, the entire company is incompetent, not a market leader, and anyone using it from here on out will be willfully, intentionally choosing this for themselves. I already think they are.
Every source of alternative credibility is being attacked.
Get. It. Through. Your. Head.
thesesystemsarefailing.net
(Score: -1, Troll) by Anonymous Coward on Thursday September 26 2019, @02:37PM (4 children)
I'm passing gas. A lot of gas. Does this make me an "influencer"?
(Score: 0) by Anonymous Coward on Thursday September 26 2019, @03:41PM (3 children)
If you're not part of the solution, then you are part of the pollution!
(Score: 2) by Runaway1956 on Thursday September 26 2019, @04:08PM (2 children)
But, my gas goes into solution, in the atmosphere.
(Score: 0) by Anonymous Coward on Thursday September 26 2019, @10:01PM
Is it the final solution?
(Score: 2) by Webweasel on Friday September 27 2019, @10:01AM
Gas, gas, gas I'm gonna step on the gas.
Priyom.org Number stations, Russian Military radio. "You are a bad, bad man. Do you have any other virtues?"-Runaway1956
(Score: 2) by stretch611 on Thursday September 26 2019, @09:16PM (1 child)
Let this hack remove Ninja [youtube.com] from the internet.
(Damn when looking up a link, I realized he is on twitch as well... so hopefully that will be hacked too.)
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 0) by Anonymous Coward on Thursday September 26 2019, @10:01PM
He is not really a YouTuber. His main platform was Twitch, but Microsoft likely paid him $1 million or more to switch to Mixer.
https://www.theverge.com/2019/8/1/20750393/ninja-mixer-exclusive-twitch-fortnite-streaming-gaming-announcement [theverge.com]
Even if Mixer fails and Ninja's career takes a nosedive, he is set for life.
(Score: 2) by RedBear on Friday September 27 2019, @04:11AM (1 child)
Getting 2FA codes over SMS makes 2FA basically useless. There are multiple ways to intercept the SMS messages and get the 2FA code. It’s virtually guaranteed that everyone who was hacked was using SMS to get their 2FA codes, if they even had 2FA enabled at all.
I had an important account at an organization that should know better. I did the responsible thing and tried to enable their “extra security” option, but when I realized that the only implemented method to obtain security codes was via SMS I immediately disabled the extra security because it was utterly pointless. For that account I just have to use a heavy duty password and rely on myself to avoid getting phished.
Every other service I’ve activated 2FA on supports one-time-use backup codes, authenticator apps, and most finally are supporting physical U2F keys. None of those methods should be easy for phishers to bypass. But SMS, pffft! It shouldn’t even be an option anymore. If it was disabled this kind of hack would basically just... stop.
¯\_ʕ◔.◔ʔ_/¯ LOL. I dunno. I'm just a bear.
... Peace out. Got bear stuff to do. 彡ʕ⌐■.■ʔ
(Score: 2) by Pino P on Friday September 27 2019, @01:41PM
But do other services supporting 2FA allow you to enroll one-time-use backup codes, TOTP apps, and U2F keys without first enrolling SMS and keeping it enrolled? Twitter and Twitch do not.