YouTubers hit with security breaches and account takeovers

Load web pages faster. Stay private. Block ads. Get Brave For Free

YouTube creators can't seem to get a break: if it's not the video giant itself making life complicated for them with its policies, then it's a plain old massive security breach.

ZDNet has been able to confirm the news of a security event that reportedly could potentially be affecting all of the platform's 23 million creators.

Google, the owner of YouTube, was yet to issue an official statement at the time of the reporting. Forbes, however, said ZDNet's confirmation of “a highly coordinated and massive attack” that took place during the weekend came from “a member of an internet forum with a history of trading access to hacked accounts.”

This anonymous source is quoted as saying that “a real nice database” had appeared on the black market, that was making the cyber thieves a lot of money.

The hack, a phishing effort, resulted in preventing creators from accessing their own channels, and although apparently targeting those covering cars and other influencers, seems to have produced victims across the board, including tech, music, and gaming channels.

According to these reports, the attackers managed to gain login information from creators by directing them to fake Google pages that gave the hackers access to some highly valuable YouTube accounts, while leading their real owners and subscribers to think the channels had been deleted.

Start and monetize your own website:
In 30 minutes or less. Build your part of the internet. Today: Free domain name for Reclaim readers. Learn how.

Two-factor authentication (2FA) was also apparently of little use, as the attackers appear to have employed “a reverse proxy toolkit, such as the popular Modlishka phishing package, to intercept 2FA codes sent using SMS.”

Forbes spoke with Phishing Tackle's CEO James Houghton, who stressed that regardless of the complexity and the coordinated nature of the attack, it was humans and their poor judgment, digital security-wise, that allowed it to happen.

“This attack relies on an individual clicking and following a click before checking the basics,” the security company's CEO said.

Another expert, ESET's Jake Moore, advised inspecting the link shown in the body of an email to make sure it was genuine – “or even questioning why you have been sent it in the first place should be enough to pause your actions.”

And even if it didn't seem to offer sufficient protections in every scenario in this particular security event, 2FA is still recommended as a sound security practice – but provided it is implemented via “authenticator apps rather than a code sent over SMS.”

In the meantime, YouTube creators who are affected by the attack can sign into the Google Account Recovery page and try to salvage their channels from there.

Use The Fastest Browser That Doesn’t Track You

Blocks ads. Blocks tracking. Keeps you and your data private. Free and open source. Up to 8 times faster page loads than Chrome and Safari. Join the Brave revolution today.

Use Brave To Browse The Web Faster, In Private

Didi Rankovic

Didi Rankovich is an experienced online journalist, editor, and translator, with a career spanning over ten years writing for major a English-language website in Serbia, and previously working as translator for international organizations and peacekeepers in the Balkans. Rankovich is passionate about free and open source tech and is a head contributor for Reclaim The Net, focusing on lead stories. [email protected]