YouTuber acount hacked and turned into "Tesla"

[Captain Gecko]

Summary

 

 Paul Hibbert, A well known youtuber in the smart home scene had his accounts hacked and his youtube channel turned into "Tesla" , despite having 2FA enabled.

 

Quotes

Quote

In case you hadn't noticed I became Elon Musk for a couple of days flogging crypto, I can't explain in words how upsetting it was to watch 6 years of work disappear and take my livelihood with it

Quote

My videos are back, but I've sadly lost 2000 subscribers, all my memberships, any ad revenue for the last 2 days, a couple nights sleep and I've probably lost a lot of ground on the old algorithm

My thoughts

Yet another Youtubers account hacked and made into a scammiong account (Fake Tesla). As mentioned in the linked video, Paul had 2FA enabled, and unfortunatley it, and youtube failed to protect him. The scammers used a well known upcoming video game and pretended to be a sponsor, unfotunatley Paul fell for their scam, opened a file that although he thought was a bit sus, and passed a virus check, beleived it to be genuine and clicked it. He has managed to gain his channel and account back, however has lost quite a few subscribers and ad revenue. Youtube really need to prevent this in the future, relying only on 2FA is not safe.

 

Sources

 

[SansVarnic]

@Captain Gecko Please update yout topic to meet the guidelines.

Quote

• Your thread must include a link to at least one reputable source. Most of the time, this should be a respected news site.

YT video from the party affected is not meeting that pre-requisite.

[da na]

"Youtube needs to prevent this" you said? It's not YouTube's fault. 

I feel bad for the guy, I recently went through something similar myself but the blame doesn't fall on YouTube here.

[SorryBella]

10 minutes ago, Captain Gecko said:

youtube failed to protect him

Then you dont understand authentication. Im not a bootlicking corpo but account security largely falls under your responsibility.

[Helpful Tech Witch]

6 minutes ago, SorryClaire said:

Then you dont understand authentication. Im not a bootlicking corpo but account security largely falls under your responsibility.

uh... what?
Its youtubes fault if someone has their account hacked? Like explain to me your thought process for that while I go make popcorn, because thats gonna be a fun read.

[manikyath]

there's a BUNCH of youtubers that got hit with this, including barnacules.

 

also, having MFA enabled is only as good as the MFA implementation and the person using it. if you're the sort of person blindly mashing yes on your MFA, it  has no use. likewise if the google account on your MFA device is the same as the youtube account, it is likely both can be compromised simultaniously.

 

from what i've heard about this, despite being rather slow (taking about 2 weeks to process things all the way back to where they should be) youtube is actually VERY active in recovering stolen accounts, and their original content.

 

in a sense.. there's nothing youtube can do that wouldnt cause widespread outrage over false positives. security of the hands is in the hands of the users.

[wanderingfool2]

5 hours ago, Helpful Tech Witch said:

uh... what?
Its youtubes fault if someone has their account hacked? Like explain to me your thought process for that while I go make popcorn, because thats gonna be a fun read.

Well I mean he's pretty much saying the user was at fault...after all, Google can't really have a way to prevent someone using the computer of the youtube channel to make changes to the channel.  The guy literally double clicked on a scr file that which took control of all the current youtube sessions he had open.

 

With that said, I think what YouTube should do.  If 2FA is enabled, verify by text before permitting a change to the channel name (that would stop a bulk of things happening)...and by this date and time have a bot that detects someone changing their account to Tesla and deleting massive amounts of videos.  I mean, it's a bit ridiculous that I get presented by "Tesla" or "SpaceX" live streams on a daily basis that are clearly scams (and some even last for hours).

 

I do think the user is at fault ultimately, but at the same time companies like YouTube really need to step up their game in preventing this.

[airborne spoon]

so basically he opens a file that is clearly not legitimate and then his stuff gets hacked and somehow he is surprised

 

Like damn even my grandma (silent generation) is smart enough to not click on shit like that and yeah i do get a picture text about once a month asking to verify if something is sus or not. but damn this millennial should know better

[Monkey Dust]

On 2/5/2023 at 12:14 AM, manikyath said:

also, having MFA enabled is only as good as the MFA implementation and the person using it. if you're the sort of person blindly mashing yes on your MFA, it  has no use. likewise if the google account on your MFA device is the same as the youtube account, it is likely both can be compromised simultaniously.

If you are using an authenticator such as Google authenticator or Authy, it really shouldn't be possible to gain access to the 2FA app. Even if you have control of the Gmail account associated with the phone it is installed on.

 

From his description, it appears that it was able to clone the browser tabs, and the hackers were able to change his login details from there. I'd argue it is partly Google's fault, as why were the hackers able to change the 2FA settings without access to the original 2FA?

 

I think an LTT video on personal cybersecurity, pitched at the ordinary users and their fellow creators, rather than high threat people such as journalists, would be a very good thing. How many people watching LLT still use SMS 2FA? Or even worse, no 2FA? Using the Gmail account for your Android phone and YouTube, or your Microsoft account as your primary email address? All of us could probably do more to protect ourselves.

[TetraSky]

Seen other youtubers get hit with this. 

Even big streamers like Valkyrae became "Tesla" a few weeks ago. But she has a lot more sway with youtube and got her account back within hours.

[Isuck Assimov]

That's pretty embarassing for him.

Really no one but the user to blame if they fall for phishing scams.

No clue why you would blame youtube for human user error.
 

[Avocado Diaboli]

16 minutes ago, Assimov said:

Really no one but the user to blame if they fall for phishing scams.

So the scammers themselves are not to blame?

[Isuck Assimov]

48 minutes ago, Avocado Diaboli said:

So the scammers themselves are not to blame?

I mean there are tons of different actors involved, you could also mention the ISP or mail provider, but none of these really have much influence or incentive when it comes to combat phishing.

In this the case the user is the point where you can adjust your policy towards for example opening mail attachements on your main PC, there doesnt seem to be much benefit in blaming actors whose actions you cannot influence.

So just to be clear, when i say i put all the blame on the user i mean that's pretty much the only point in all of this where influential action against scams can and SHOUD be taken.

[WildDagwood]

On 2/4/2023 at 7:12 PM, Helpful Tech Witch said:

uh... what?
Its youtubes fault if someone has their account hacked? Like explain to me your thought process for that while I go make popcorn, because thats gonna be a fun read.

Majority of account compromises are from user error (same in this case).

 

Think the problem is when people see "account hacked" they assume it was some kind of brute force method, when in reality a user did something they shouldn't have.

 

Edit: Misread the comment/stance at the time

[Donut417]

On 2/4/2023 at 6:57 PM, Captain Gecko said:

Yet another Youtubers account hacked and made into a scammiong account (Fake Tesla). As mentioned in the linked video, Paul had 2FA enabled, and unfortunatley it, and youtube failed to protect him.

This was part of the Last Pass hack. Last Pass encouraged people to put their 2FA recovery keys in their vault. Has nothing to do with YouTube. Many creators were hacked. 

[Dillpickle23422]

If this was YouTube's fault, we might as well blame the manufacture of the mouse for allowing him to click the link! If Youtube had leaked his information, I'd blame them. However, that's not the case. I'm incredibly tired of seeing people complain about being hacked, when their password is the same everywhere, and is just "Password1234". MFA won't save you if the password to whatever controls the MFA is the same. I see this a lot on social media (ahem... facebook) where people are like "oops I got hacked" and don't do a damn thing about it, and blame (insert social media) for allowing them to fall victim to a phishing scam.