{"video_id":"xu2Mu7t7Gi4","title":"Why YouTubers Are Getting Hacked","channel":"Techquickie","show":"Techquickie","published_at":"2023-05-05T14:58:16Z","duration_s":313,"segments":[{"start_s":0.0,"end_s":4.48,"text":"If you're a regular viewer, you probably know we got hacked recently with the tech","speaker":null,"is_sponsor":0},{"start_s":4.48,"end_s":9.84,"text":"quickie videos you know and love replaced by everyone's favorite streams operated by crypto","speaker":null,"is_sponsor":0},{"start_s":9.84,"end_s":15.28,"text":"scammers. Oh boy. Over on our sister channel Linus Tech Tips, we have a video detailing exactly","speaker":null,"is_sponsor":0},{"start_s":15.28,"end_s":20.4,"text":"what happened, but the upshot is that a compromised email attachment stole session tokens from a","speaker":null,"is_sponsor":0},{"start_s":20.4,"end_s":25.04,"text":"computer here at the office, basically the part of a web browser cookie that tells a website that","speaker":null,"is_sponsor":0},{"start_s":25.12,"end_s":30.24,"text":"you're logged in. Cookie theft often allows an attacker to access accounts without knowing the","speaker":null,"is_sponsor":0},{"start_s":30.24,"end_s":36.08,"text":"password and it's become a relatively common way for YouTubers to get hacked. But why is it so easy?","speaker":null,"is_sponsor":0},{"start_s":36.08,"end_s":40.88,"text":"Before we dive into the answer, we'd like to thank fellow YouTuber Theo Joe for his thoughts on the","speaker":null,"is_sponsor":0},{"start_s":40.88,"end_s":45.6,"text":"situation. Go and check out his channel when you're done watching this. The reason why so many","speaker":null,"is_sponsor":0},{"start_s":45.6,"end_s":51.2,"text":"YouTubers have gotten hacked recently boils down to a trade-off between convenience and security.","speaker":null,"is_sponsor":0},{"start_s":51.2,"end_s":55.52,"text":"You see, YouTube along with basically any other website that requires you to log in","speaker":null,"is_sponsor":0},{"start_s":55.52,"end_s":62.0,"text":"can ask you for your credentials at any time, but it's how often they decide to do this or not","speaker":null,"is_sponsor":0},{"start_s":62.0,"end_s":66.96,"text":"do this. That can mean the difference between you staying safe and getting hacked. Here's what I","speaker":null,"is_sponsor":0},{"start_s":66.96,"end_s":72.32,"text":"mean. Although it would be extremely annoying for YouTube to ask us for our password every time we","speaker":null,"is_sponsor":0},{"start_s":72.32,"end_s":78.0,"text":"try to do something simple like upload a video or change a thumbnail, it might behoove YouTube to","speaker":null,"is_sponsor":0},{"start_s":78.0,"end_s":83.68,"text":"ask for passwords when making a major modification such as, I don't know, changing the name of the","speaker":null,"is_sponsor":0},{"start_s":83.68,"end_s":89.6,"text":"channel, which Google doesn't do consistently. Another potential red flag that YouTube could","speaker":null,"is_sponsor":0},{"start_s":89.6,"end_s":95.2,"text":"pay attention to is when the IP address of the logged in computer changes. Although there are","speaker":null,"is_sponsor":0},{"start_s":95.2,"end_s":100.56,"text":"totally innocent reasons for this to happen, such as taking your laptop on a trip or logging in to","speaker":null,"is_sponsor":0},{"start_s":100.56,"end_s":106.72,"text":"a VPN or your ISP just reassigning you a new one, it could also be because an attacker has stolen","speaker":null,"is_sponsor":0},{"start_s":106.72,"end_s":111.36,"text":"your cookie and is now logged in from elsewhere. But it doesn't appear that Google consistently","speaker":null,"is_sponsor":0},{"start_s":111.36,"end_s":116.24,"text":"asks you for your password again in this situation either. These are fairly simple precautions,","speaker":null,"is_sponsor":0},{"start_s":116.24,"end_s":121.52,"text":"so it's a bit of a mystery why Google doesn't already pick them. But if we had to guess,","speaker":null,"is_sponsor":0},{"start_s":121.52,"end_s":125.44,"text":"which we'll be doing since YouTube didn't get back to us when we reached out for comment,","speaker":null,"is_sponsor":0},{"start_s":125.44,"end_s":130.08,"text":"it's likely to cut down on how often creators are asked to punch in their credentials,","speaker":null,"is_sponsor":0},{"start_s":130.08,"end_s":135.52,"text":"which can be annoying. But even if you agree that YouTube has struck the right balance between","speaker":null,"is_sponsor":0},{"start_s":135.52,"end_s":141.28,"text":"security and usability, there are still more ways they can prevent these attacks after the","speaker":null,"is_sponsor":0},{"start_s":141.28,"end_s":146.56,"text":"hacker has gotten the password. Strengthening two-factor authentication should also be high","speaker":null,"is_sponsor":0},{"start_s":146.56,"end_s":150.48,"text":"on Google's list of security priorities. Although YouTube and other Google services","speaker":null,"is_sponsor":0},{"start_s":150.48,"end_s":157.28,"text":"obviously support 2FA already, you aren't asked to re-verify on your two-factor device on a computer","speaker":null,"is_sponsor":0},{"start_s":157.28,"end_s":162.48,"text":"you're already logged into, meaning that if a rogue file attachment contains a keylogger,","speaker":null,"is_sponsor":0},{"start_s":162.48,"end_s":166.88,"text":"the attacker can just re-enter your password onto your stolen session with a good chance","speaker":null,"is_sponsor":0},{"start_s":166.88,"end_s":172.4,"text":"they won't be asked for that second factor that only you have. It's like having a guard dog that's","speaker":null,"is_sponsor":0},{"start_s":172.4,"end_s":179.2,"text":"just sleeping on the job. What do guard dogs dream of? To be fair to Google, they do have","speaker":null,"is_sponsor":0},{"start_s":179.2,"end_s":184.56,"text":"a more advanced tool called Context Aware Access for enterprise users that allows the","speaker":null,"is_sponsor":0},{"start_s":184.56,"end_s":189.52,"text":"whitelisting of only certain IP addresses which prevents a faraway attacker from logging in","speaker":null,"is_sponsor":0},{"start_s":189.52,"end_s":194.88,"text":"even if they have all your credentials. But the problem is that only specific Google apps such","speaker":null,"is_sponsor":0},{"start_s":194.88,"end_s":200.64,"text":"as Drive and Gmail support it. You can't lock down an entire account that way, so it does nothing","speaker":null,"is_sponsor":0},{"start_s":200.64,"end_s":205.2,"text":"for YouTubers trying to protect against a hack. And speaking of locking down accounts, perhaps the","speaker":null,"is_sponsor":0},{"start_s":205.2,"end_s":210.72,"text":"biggest elephant in the room is that regardless of what security measures YouTube offers, Google","speaker":null,"is_sponsor":0},{"start_s":210.72,"end_s":216.24,"text":"doesn't seem to be proactive with how they respond when channels are hacked, instead relying on the","speaker":null,"is_sponsor":0},{"start_s":216.24,"end_s":222.32,"text":"creators themselves to notify them of a problem. This is even true if you have millions of subscribers","speaker":null,"is_sponsor":0},{"start_s":222.32,"end_s":227.92,"text":"and you think as big as Google is, they'd have some kind of algorithm to detect when major channels","speaker":null,"is_sponsor":0},{"start_s":227.92,"end_s":233.92,"text":"might be compromised. Of course, we do recognize that Google has a tough job deciding how to strike","speaker":null,"is_sponsor":0},{"start_s":233.92,"end_s":239.04,"text":"that balance between usability and security, and our reps at YouTube have been good to us.","speaker":null,"is_sponsor":0},{"start_s":239.04,"end_s":243.84,"text":"But there's always room for improvement, including with our security practices here at LMG. Hopefully","speaker":null,"is_sponsor":0},{"start_s":243.84,"end_s":248.24,"text":"this video has shed some light on why these attacks are happening with more frequency, and we also","speaker":null,"is_sponsor":0},{"start_s":248.24,"end_s":254.32,"text":"hope this is the last time this channel is used as a conduit for crypto scams. We've all lived through","speaker":null,"is_sponsor":0},{"start_s":254.32,"end_s":257.44,"text":"enough of those already. Yeah, that's awesome. So thanks for watching guys. If you liked this","speaker":null,"is_sponsor":0},{"start_s":257.44,"end_s":262.24,"text":"video, hit like, hit subscribe, and hit us up in the comment section with your ideas for topics","speaker":null,"is_sponsor":0},{"start_s":262.24,"end_s":265.92,"text":"that we should cover in the future. We were hacked!","speaker":null,"is_sponsor":0}],"full_text":"If you're a regular viewer, you probably know we got hacked recently with the Techquickie videos you know and love replaced by everyone's favorite streams operated by crypto scammers. Oh boy. Over on our sister channel Linus Tech Tips, we have a video detailing exactly what happened, but the upshot is that a compromised email attachment stole session tokens from a computer here at the office, basically the part of a web browser cookie that tells a website that you're logged in. Cookie theft often allows an attacker to access accounts without knowing the password and it's become a relatively common way for YouTubers to get hacked. But why is it so easy? Before we dive into the answer, we'd like to thank fellow YouTuber Theo Joe for his thoughts on the situation. Go and check out his channel when you're done watching this. The reason why so many YouTubers have gotten hacked recently boils down to a trade-off between convenience and security. You see, YouTube along with basically any other website that requires you to log in can ask you for your credentials at any time, but it's how often they decide to do this or not do this. That can mean the difference between you staying safe and getting hacked. Here's what I mean. Although it would be extremely annoying for YouTube to ask us for our password every time we try to do something simple like upload a video or change a thumbnail, it might behoove YouTube to ask for passwords when making a major modification such as, I don't know, changing the name of the channel, which Google doesn't do consistently. Another potential red flag that YouTube could pay attention to is when the IP address of the logged in computer changes. Although there are totally innocent reasons for this to happen, such as taking your laptop on a trip or logging in to a VPN or your ISP just reassigning you a new one, it could also be because an attacker has stolen your cookie and is now logged in from elsewhere. But it doesn't appear that Google consistently asks you for your password again in this situation either. These are fairly simple precautions, so it's a bit of a mystery why Google doesn't already pick them. But if we had to guess, which we'll be doing since YouTube didn't get back to us when we reached out for comment, it's likely to cut down on how often creators are asked to punch in their credentials, which can be annoying. But even if you agree that YouTube has struck the right balance between security and usability, there are still more ways they can prevent these attacks after the hacker has gotten the password. Strengthening two-factor authentication should also be high on Google's list of security priorities. Although YouTube and other Google services obviously support 2FA already, you aren't asked to re-verify on your two-factor device on a computer you're already logged into, meaning that if a rogue file attachment contains a keylogger, the attacker can just re-enter your password onto your stolen session with a good chance they won't be asked for that second factor that only you have. It's like having a guard dog that's just sleeping on the job. What do guard dogs dream of? To be fair to Google, they do have a more advanced tool called Context Aware Access for enterprise users that allows the whitelisting of only certain IP addresses which prevents a faraway attacker from logging in even if they have all your credentials. But the problem is that only specific Google apps such as Drive and Gmail support it. You can't lock down an entire account that way, so it does nothing for YouTubers trying to protect against a hack. And speaking of locking down accounts, perhaps the biggest elephant in the room is that regardless of what security measures YouTube offers, Google doesn't seem to be proactive with how they respond when channels are hacked, instead relying on the creators themselves to notify them of a problem. This is even true if you have millions of subscribers and you think as big as Google is, they'd have some kind of algorithm to detect when major channels might be compromised. Of course, we do recognize that Google has a tough job deciding how to strike that balance between usability and security, and our reps at YouTube have been good to us. But there's always room for improvement, including with our security practices here at LMG. Hopefully this video has shed some light on why these attacks are happening with more frequency, and we also hope this is the last time this channel is used as a conduit for crypto scams. We've all lived through enough of those already. Yeah, that's awesome. So thanks for watching guys. If you liked this video, hit like, hit subscribe, and hit us up in the comment section with your ideas for topics that we should cover in the future. We were hacked!"}