YouTube creators can’t seem to get a break: if it’s not the video giant itself making life complicated for them with its policies, then it’s a plain old massive security breach.
ZDNet has been able to confirm the news of a security event that reportedly could potentially be affecting all of the platform’s 23 million creators.
Google, the owner of YouTube, was yet to issue an official statement at the time of the reporting. Forbes, however, said ZDNet’s confirmation of “a highly coordinated and massive attack” that took place during the weekend came from “a member of an internet forum with a history of trading access to hacked accounts.”
This anonymous source is quoted as saying that “a real nice database” had appeared on the black market, that was making the cyber thieves a lot of money.
The hack, a phishing effort, resulted in preventing creators from accessing their own channels, and although apparently targeting those covering cars and other influencers, seems to have produced victims across the board, including tech, music, and gaming channels.
According to these reports, the attackers managed to gain login information from creators by directing them to fake Google pages that gave the hackers access to some highly valuable YouTube accounts, while leading their real owners and subscribers to think the channels had been deleted.
Two-factor authentication (2FA) was also apparently of little use, as the attackers appear to have employed “a reverse proxy toolkit, such as the popular Modlishka phishing package, to intercept 2FA codes sent using SMS.”
Forbes spoke with Phishing Tackle’s CEO James Houghton, who stressed that regardless of the complexity and the coordinated nature of the attack, it was humans and their poor judgment, digital security-wise, that allowed it to happen.
“This attack relies on an individual clicking and following a click before checking the basics,” the security company’s CEO said.
Another expert, ESET’s Jake Moore, advised inspecting the link shown in the body of an email to make sure it was genuine – “or even questioning why you have been sent it in the first place should be enough to pause your actions.”
And even if it didn’t seem to offer sufficient protections in every scenario in this particular security event, 2FA is still recommended as a sound security practice – but provided it is implemented via “authenticator apps rather than a code sent over SMS.”
In the meantime, YouTube creators who are affected by the attack can sign into the Google Account Recovery page and try to salvage their channels from there.