A well-known YouTube channel Linus Tech Tips was hacked a few days ago. Hackers managed to get access to this channel and delete all of the videos while showing the audience a video explaining cryptocurrency scams to more than 15.3 million viewers. Instead of seeing tech reviews, the audience could see a bad actor do things like change channels, livestream crypto scam videos. This is not the first time YouTube accounts have been hacked. In this specific case, hackers managed to take over three Linus Media Group YouTube channels by targeting session tokens.
As mentioned above, this attack is just one in the series of events that have happened over the previous year. Most of the hackers’ attacks were designed to expose the viewers to crypto-sites through either QR codes or links. For instance, viewers could watch fake Apple crypto scam on YouTube, Vevo channels of famous stars including Drake, Taylor Swift and others were also attacked. The British Army’s YouTube channel was also hacked.
The owner of the recently hacked YouTube channels, Linus Sebastian, explained in the video that things like two-factor protestions and a password were bypassed by the breach because session tokens that keep you logged in to websites were targeted by the bad actor. He confirmed that the channels were victims of session hijacking, also known as cookie hijacking. This kind of the hacker’s attack usually happens when a bad actor gets access to a victim’s online account by stealing their session cookies, which are stored on a user’s PC. This means that they don’t need to go through multifactor authentication (MFA) or capture login credentials to gain access to the account.
Namely, what happened was that a threat actor gained access to a session cookie by sending the user phishing emails that seem to be important for the user (something like a business invoice or a message to a friend. These emails contain attachments which are usually executable files that introduce malware to the user’s system. These attachments appear to be PDF to the user which is why they can be tricked so easily that they are opening something safe. Once the malware activates, it steals session cookies which provides cyber criminals with an access to the victim’s account.
While all the three channels have been successfully restored, Sebastian still took some time to reflect on the Google’s one-mail response regarding the attack:
“Other than [saying] ‘We’re aware and working on it,’ the internal team doesn’t seem to even be allowed to communicate with creators directly. They figured out that the attack came from one of our non-video production teams pretty quickly and banned that Google Workspace account almost immediately. But even a quick ‘Hey, I know you’re stressed, here’s what’s going on, and here’s how we can keep this from spreading’ would almost certainly have calmed my nerves and saved all of us some work by keeping TechLinked and Techquickie in our hands.”
He also took this opportunity to suggest ways how these kinds of attacks can be prevented in the future. For instance, he said that it would be great to have more security options when it comes to specific channel attributes, as well as some kind of verification procedure in case somebody tries to delete a large number of videos. He also suggested that YouTube should require users to re-authenticate in case they change locations or YouTube channel name or delete video content.
According to Verge, YouTube spokesperson Elena Hernandez said in a statement that their team investigated the issue and worked with the Linus’ team to restore their account.
While Linus channels were all restored, they experienced a substantial revenue loss because videos were offline. However, Sebastian also explained that the team’s disaster response processes need to improve because he realized he wasn’t able to reset the passwords and the access controls across the channels.
Since these kinds of breaches have been happening quite frequently for some time now, YouTube should most certainly create a stronger guardian system and implement all of Sebastian’s suggestions. Hopefully, YouTube will come up with some even more effective ideas on how to stop these breaches and keep things under control.