Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Youtube Security

'Massive' Coordinated Campaign Hijacked Many YouTube Accounts (zdnet.com) 16

An anonymous reader quotes ZDNet: A massive wave of account hijacks has hit YouTube users, and especially creators in the auto-tuning and car review community, a ZDNet investigation discovered following a tip from one of our readers. Several high-profile accounts from the YouTube creators car community have fallen victim to these attacks already... But the YouTube car community wasn't the only one targeted. Other YouTube creators also reported having their accounts hijacked last week, and especially over [last] weekend, with tens of complaints flooding Twitter and the YouTube support forum.

The account hacks are the result of a coordinated campaign that consisted of messages luring users to phishing sites, where hackers logged account credentials... Some users reported receiving individual emails, while others said they received email chains that included the addresses of multiple YouTube creators, usually from the same community or niche... Ryan Scott, the owner of the PURE Function YouTube channel confirmed he used two-factor authentication on his account, validating that hackers did bypass 2FA on some of the hacked accounts.

Google did not return a request for comment.

The article includes links to 9 different complaints in YouTube's support forum -- and another 9 complaints from Twitter -- adding that they'd found "many more."

MIT's Technology Review reports that YouTube warned the owners of roughly 23 million channels to boost their security measures.
This discussion has been archived. No new comments can be posted.

'Massive' Coordinated Campaign Hijacked Many YouTube Accounts

Comments Filter:
  • Is this two-factor authentication based on SMS messages? The same SMS messages that are trivially easily forged due to decades of cellular carriers' inaction?

    • sms was never designed to be secure, never claimed to be secure and it could never be secured due to the millions of devices out there that can't be updated. It is not the carriers fault that other companies decided to use it a security mechanism to save themselves time and money creating a proper one
      • by Luthair ( 847766 )
        SMS isn't insecure because of devices, its insecure because carriers can't provide convenient customer service and still social engineering of CS reps.
  • Really, "tens of complaints" is "massive?"
    • That they are all gear-heads is informing, even if just its just ten's.

      Even the community of grandparents are defending themselves better.

      If these were the youtube accounts of large corporations from a specific industry, like say, the oil companies... I suspect that you would be creaming your pants right now instead of being dismissive.
  • MIT's Technology Review reports that YouTube warned the owners of roughly 23 million channels to boost their security measures.

    Ryan Scott, the owner of the PURE Function YouTube channel confirmed he used two-factor authentication on his account, validating that hackers did bypass 2FA on some of the hacked accounts.

    So if 2FA has been compromised, how exactly do they expect you to "boost" your security measures? Where is there to go from there?

    • In two factor authentication, if one of the factors fails, the other is still supposed to work.

      Unfortunately, passwords are weak-sauce for various reasons on both ends, often not even being needed (reset my password plz.)

      So when one of the factors is a password, and the other....

      ...can be defeated with social engineering...
  • Tens of complaints is massive? Wouldn't that normally be a slower than dirt day?
  • One auto channel guy was able to avoid this due to his suspicions and he posted a video about this with some more info including the phishing emails. From what he said, it sounds like the scammers prompted the victims to enter the 2FA code (possibly making it sound as though the scammer's site was sending them a 2FA code, and the victim not closely looking to see that the SMS was from Youtube).

    https://www.youtube.com/watch?v=YTmLjkDHolE&t=313s [youtube.com]
    • How would you know? Any time I've used two-factor auth the SMS has come from some unusual number I'd have no way of recognizing.

      • Any decent 2FA SMS message will identify the source. I went through my history and all of the ones I see tell you where they're from (though only the company involved, not the exact website).

        • My guess is that you go to their site from their fishing email, the site tells you it needs you to enter a 2FA, does some black magic to tell the Youtube site to send you the 2FA, you get it and type it in...

          Otherwise the only way for the attacker to get a genuine 2FA code to type in and hijack your account is social engineer your phone number away. If they can do that they probably do not need you to click on the email.

  • ... and they bite the teacher.

    I saw the Internet come in and got burned early on and learned best practices. I preached those in business and still people did dumb things. Especially bad was that the user didn't 1.) own the equipment, 2.) have to clean it up, 3.) care.

    I would have thought those who were born into the Internet age would be savvy regarding the almost high school antics of opening attachments in email.

    Sadly, that's not the case.

Avoid strange women and temporary variables.

Working...