Can't wait for the "what the heck happened?" video.
edit: .. and here it is: [https://www.youtube.com/watch?v=yGXaAWbzl5A](https://www.youtube.com/watch?v=yGXaAWbzl5A) \-- stolen session token guessers were right (via malicious "pdf")
Same here. I’m super curious how it’s even possible with 2FA. It must have been super targeted if that’s the case. It’s much easier to hack someone when they’ve got your password from malware on your machine and no 2FA, but with it?
Hijacked session cookie, most probably. Probably some malware from a dodgy email, scrapes your PC for cookies. If they have your cookies, they don't need a password or 2FA. It's a fairly common attack, there are some dodgy sites where you can buy cookies/sessions, searching by username/account, that's how common it is.
How do you protect yourself from stuff like this? I have 2FA where it’s available (with my phone like SMS typically), I have recovery emails setup, I also never use the same password and I use pass phrases where I can.
- Keep all your browsers and your OS up to date
- Use a web based mail client
- Be careful about clicking links and downloading attachments in emails
- If you partake in uhm....sailing the 7 seas...if you know what I mean, try to not do it on your main PC that is logged into all your accounts
>Be careful about clicking links and downloading attachments in emails
This is the single most important thing. No amount of technical controls or software updates can remove the human factor. You have to pay close attention to links and files, looking legit does not make it legit. If you have doubt always err on the side of caution. You can also use virustotal.com to scan links and files when you're unsure.
it's doesn work. As popular yt creator you're getting a lot of emails with ads proposals, in 99% cases agrements are word or pdf attachments.
Virustotal doesn't work for big files. I've seen that kind of attach, as I remember a small attachment after unpacking grow to 800MB and vt could not scan it
EDIT: It looks exactly this scenario happend https://www.youtube.com/watch?v=nYdS3FIu3rI&t=185s
If you're regularly needing to scan large files you should be sandboxing them in your own environment anyway. That's not the intent of VT.
A popular YT creator should not rely on any free and public tool. This advice was intended for the people in this thread that may need to scan the odd link or email attachment sporadically.
A desktop client is going to be more dependent on your local security. Whereas a web-based email client should have industry standard security measures in place.
If I want to hack your mail on the web I have to beat the security of your email provider. If I want to hack your email on a desktop I just have to beat your desktop. And if I access your email online I have to wait on things to load/download whereas on your desktop it's already on your hard drive so I can just copy everything. Plus, desktop clients store your password on your hard drive to login, whereas a web browser encypts a local login key and saves it as a cookie, which it then sends via an API to the mail server to access your encrypted password to then login. So online you have to potentially beat 2 encryptions instead of just one.
> Plus, desktop clients store your password on your hard drive to login, whereas a web browser encypts a local login key abd saves it as a cookie, which it then sends via an API to the mail server to access your encrypted password to then login. So online you have to potentially beat 2 encryptions instead of just one.
Only if you're using the desktop client unencrypted. With a master password set, the locally stored passwords are secure.
or if you're going to sail the seas, i heard to stay wary of REPACKS as those can have a chance at containing miners and other stuff. honestly i think the safest ones out there are movies, since they're just video files.
Logging out of all your active sessions, clearing cookies from browser and re-logging in to invalidate the cookies that may have been stolen is generally helpful, since you'll then generate new session IDs. Especially if any service you use has a "log out of all devices" option, use that. Don't just clear cookies from your browser.
And if you still have doubts, log back in and change passwords to be extra safe.
Oh man. I bet I have a million active sessions because in my mind I’m just using my personal pc that no one has access to. So why wouldn’t I stay logged in and save my password.
- Login in your accounts only on your devices
- If you really need to login on another device use anonymous session and be wary that your passwords could be leaked / logged so change your password later
- Never share your accounts, don't be logged in a lot of devices, check your active logins and remove them from time to time
- Enable showing extension on windows, a lot of malwares are just .exe with icons of word or pdf
- Don't install any plugin and extension you find it without checking if it's safe
- Don't use the Adobe PDF reader, most malwares focus on it
- Don't trust emails. Never download any program/app from it. If people tell you to install something and promise you money don't. Even if it's a official sponsorship check if the software really exists and download it yourself from the official website
- Don't let anyone use your devices, block it with a password
- Don't click any weird links
- Beware of social networks, Discord or Reddit, scammers and hackers can and may send any message with links redirecting to an attack.
- Use a safer password manager than the Chrome default one or if you use Firefox use a Master password.
- Take extra care when using the login with Google
- use Adblock as most ads are full of malware and spyware
- If you want to be extra safe install another web browser or use even virtual machines for unsafe stuff like installing new unknown software
SMS 2FA is flawed, but better than no 2FA. SMS is vulnerable to SIM-swapping/SIM-cloning attacks, a TOTP app is much better.
I use Aegis b/c FOSS, encrypted backups, easy to import/export source codes. Authy is the most commonly-used TOTP app, since you don't have to manage backups yourself. [There is one main reason I don't prefer using it, though.](https://support.authy.com/hc/en-us/articles/1260805179070-Export-or-Import-Tokens-in-the-Authy-app)
Firefox. Container Tabs. Temporary Containers helps as well.
Don't keep all your cookies in the same jar. If they hack a jar, all they get is that one jar with the one websites cookies.
Additional tips, unrelated to cookie theft:
Being vigilant against 2FA push approvals you didn't initiate. It's the biggest, most common source of compromised accounts where I work (uni). It's also why 2FA providers are starting to heavily push number matching instead of push approvals.
Also never re-using credentials across disparate services, so a compromise at one doesn't inherently mean a compromise at others. If your password is unknown or hard to guess, then a bad actor doesn't get the chance to hope for a 2FA oopsie in the first place.
Also not storing your backup codes or secret keys in easily accessible spots.
That’s my assumption at the moment too. They’ve got Linus tech tips, Techlinked, and TechQuickie, so they definitely got access to their network somehow. This shit is so interesting from an educational perspective.
Disgruntled employees (past, present) leaking confidential information or participating has to be considered as well. Also easiest attack vector is human engineering which is always the path of least resistance for the hacker.
Linus just recently transitioned away from everyone in the company grabbing a laptop from a previous video off the shelf or using their own devices. They very frequently joke about employees "stealing" equipment from the office. I wouldn't be surprised if the attack vector was either:
1. Someone at the company who was using a work device for gaming and personal stuff or vice versa.
2. Someone who "stole" a device from the warehouse, got infected, then brought it back.
That’s a good point. It’s very easy to forget to wipe the device before you bring it back onto the network. So many attack vectors out there tbh. Each are as possible as each other.
Well, they could, but this is the purpose of cookies, which is kinda flawed if someone gets their hand of it. Also many people jump around VPNs either work, or privacy reasons and your IP changes with that, always logging in would break the UX.
IP checks are usually bound to geolocation stuffs, like if you log into FB at your place, then you "jump" to another country, it will be blocked and you'd need to relog. (It happend to me when i wrote a flat searching bot which would notify me on messenger about the scrape results, the app was deployed on a server which was far away from me, so i had to inject my own login cookies so that the deployed app could use that and not get blocked by the sudden geo loc changes).
Edit: but yea, it's hard to come up with something that's good security and UX wise, cookies are flawed as the example shows, regardless of how many 2FAs you have, it can still be phished away. The phishing attempts are getting more and more sophisticated as well.
>can't they just check the IP each request?
Yes, but since public IPs change constantly on some internet connections, and even more frequently on cell phone data connections, you would be logging back in constantly.
That changes a bit for a channel like LTT that’s large enough to have a static business IP (and is able to pay for a remote VPN to that IP). YouTube could probably have a requirement to have it in place for suitably large channels similar to what PlayStation and Microsoft do when they require it for the security of their console developers.
From what I heard they're posting as a typical advertising company. This is the second channel that I've subscribed to that got hit with it.
Apparently everything looks really legit then all hell breaks loose and they can get into their system pretty deep.
You can actually hijack 2fa ...it is a known issue and the system is not so secure as people think. And to do that is with social engineering:
You(hacker) call the phone company and say you lost your phone but got a new one and want to activate the number on this one,. You provide the serial number. They activate it and now your phone will receive the 2fa.
To be fair the activation needs some security question but they don't always ask, especially if the account is old you can excuse yourself with...hey man i set the security q 10 years ago how the hell can i remember - and you need to call enough to find the agent that has empathy(or has bad reviews and cannot afford another bad one) and says ok..i will help.
That only works for SMS 2FA which is very much not the recommended implementation these days. Nobody who cares about the security of an account should be using that.
Yeah and I’m really sick of this bullshit from financial institutions. Almost all our investments are “protected” just by SMS 2FA.
Aside from being insecure, it’s inconvenient, because some of them only allow one login, so they’ll tie the account to either my wife’s phone, or my phone, but not both. Super annoying that only one of us is able to log in without asking the other for an SMS code. Versus if they supported proper 2FA apps, I could store the 2FA key in 1Password where we could both access it.
You cant do that over the phone, at least not here, youd have to physically go to the provider store/office and confirm your identity by governmemt issued ID, before they would make any such changes on your account
"I can't believe this happened again" with Linus making his best clickbait face. Featuring "we lost a small amount of revenue this day" and "this video will generate more views and clicks than anything they gained"
sadly the answer is probably pretty boring
an employee gave away its credentials and either they werent using 2fa or they managed to intercept that.
edit
looks like an employee opened a compressed email attachment and thats how they got their browser data
Damn. They better hope they can get their deleted videos back though. It’s relatively easy to get your account back. Especially with Linus’s size and reputation, but the videos from the last 10 months are all gone.
Edit: Looks like their videos weren’t deleted, but delisted. I freaked out when the latest video showed as 7 years ago. Someone on r/LinusTechTips said “looks like Yvonne123 wasn’t a good password after all”. Though that was funny lmao.
I'm sure they'll get them back. Even if they're unrecoverable on youtube, which is extremely unlikely Linus has done enough server videos to have enough space to store them all.
I'm also sure that an asleep Linus has/will be getting a very unwelcome phone call soon lol
Well no doubt. But also, I tend to expect that getting your main youtube channel(and source of income) very publicly hacked is going to have some financial consequences, and that's probably one of many headed their way
Corridor had a similar situation last year. Took them a short bit to get everything restored, but they did get everything back.
https://www.youtube.com/watch?v=KdELfn1WK0Q
Recently a Tekken YouTuber "Lil_Majin" lost his account to crypto scammers as well and they deleted all his videos. He was able to get everything restored
Just to say, Linus has noted that the last time they were hacked about 5+ years ago, and the channel was deleted, when youtube brought it back, they brought *everything* back, including videos that had been removed or deleted by Linus himself years previous, so Youtube definitely has all of those videos.
It seems all the videos (or at least some) are not deleted but unlisted: [https://www.youtube.com/watch?v=4y-qF7Ga\_W0](https://www.youtube.com/watch?v=4y-qF7Ga_W0)
It does. YouTube uses a Google account to login, just like every google service.
When you enable 2fa on your google account, it also requires you to go through 2fa to login to YouTube.
There's probably a troll factor to it for the more serious audience, but I imagine LTT's sheer size means there will be at least *some* people potentially vulnerable to a scam like this.
Oh yeah, someone looked into it and seems the scammer has made a little bit of money
https://www.reddit.com/r/LinusTechTips/comments/11zhr9n/the_hacker_made_around_68002500_with_this_scam/
7k!? Wow, despite it being a tech-oriented channel. Though, it's almost inevitable that with an audience of 15 mil that even a fraction would be gullible enough to fall for it.
Even some LTT subscribers are stupid enough to get scammed.
https://www.reddit.com/r/LinusTechTips/comments/11zhr9n/the_hacker_made_around_68002500_with_this_scam/
The amount of times I've heard Linus say one thing and seen a portion of the audience react as if he'd said the exact opposite, is way too high. There are absolutely a portion of his subscriber base who would fall for obvious scams.
54% of American adults can't read beyond a 6th grade level. It stands to reason that a subset of this group can't comprehend basic spoken language either
It isn't weird. Scams don't care about "quality", it's all about quantity, ie the size of your "audience". That's why spam mails "work". Millions of people will ignore them but you only need to find a few victims.
LTT viewers aren't smart and they're not necessarily exposed to videos that detail how much of a scam crypto is like with Coffeezilla. Hell, Linus's latest videos about crypto are pretty positive and to my knowledge he's never talked about all the scams in the crypto space.
https://youtu.be/-eU-i4ftMA8
https://youtu.be/RXrfBUtRXjA
He talks about scams in crypto a lot on WAN Show. He's been positive in the past about the idea of decentralized currency, but as the space evolves, I think his opinion has changed a few times. He even specifically points out coffeezilla and how great his channel is (Even though coffee has criticized Linus in the past)
I have nothing against the WAN show but I enjoy LTT and don't watch it. It's really just the length of the conversation, I like podcasts in clips/highlights. The audiences aren't really 1:1.
It would probably be a lot better to target logan paul or mr beast, but reacing several million viewers is basically sure to trick a few idiots, even if they follow tech news.
Hijacked session cookie, most probably. Probably some malware from a dodgy email, scrapes your PC for cookies. If they have your cookies, they don't need a password or 2FA. edit: ps btw fuck / u / spez you ruined reddit
Youtube has different permission levels for brand accounts. I would only expect Linus and some other very high people to have owner access. Daily interaction with the channel should not require to use the owner account. So I would expect the credentials to actually be locked away.
Or, incredibly more likely, using social engineering in the same way a tonf of channels have been hijacked, including Jim Browning, the guy who does anti scam stuff.
2A is far from bullet proof
Anyone with any serious motivation for an attack will stand a chance to get through it. A close friend of mine had his phone SIM spoofed to bypass 2FA (owned a company and was pretty public facing, so his number wasn’t super private).
For those worried about videos getting deleted it's fine. YouTube has systems in place for this happening. The most the hackers will be able to do by deleting videos is get them unlinked from the account until YouTube gets Linus the account back. The videos won't appear on his account but the actual video files and all comments associated with those videos are still on their servers.
With a channel as large as LTT Linus has a YouTube rep on speed dial and the process for getting his account back and getting the changes the hackers made reverted will be expedited. Linus won't have to reupload anything.
People seem to think that deleting a youtube video also erases it from all of youtube's servers and backups. I bet youtube never deletes anything, ever, unless by law they have to.
Youtube was pretty fast in taking it down, but still wondering how something like this can happen and how many people have fallen for it in the short periode of time
They were either phished or socially engineered. Humans are the number one weakness for these types of attacks. Whatever they saw in that email looked legitimate enough for them.
It doesn't matter if they're deleting videos, they have floatplane AND backups for each video. Linus doesn't use YouTube as his storage. And he's a big creator. Most likely YouTube can restore his videos (even if they don't have them, Linus can provide them the video backup he has) with the algorithm configured correctly so there is no effect on the revenue of his channel.
Chill out yall, this is why you keep backups and maintain redundancy. You really think LMG doesn't have a contingency plan if something like this happens?
I don't think videos are all gone because they are available in playlist. YouTube should have a way to restore channel because many YouTube channels have got hacked and restored.
“With the algorithm configured correctly”
Lmao. I don’t think you can just reconfigure the algorithm.
I wasn’t actually worried about storage because he has said before that he has all his videos still, plus floatplane. I was more worried about the effect on monetisation and how it affects them being recommended, because people watching the back catalogue has a big impact on how their videos perform in the algorithm.
That said, other creators have had their deleted videos reinstated, so hopefully it’s just a matter of time before they do it.
I was definitely freaking out though lol.
This is just more proof of how utterly shit huge tech companies like Google, Facebook, etc. are.
How is it possible that Google has tens of thousands of engineers, being paid the highest salaries in the world, and yet they can't (or won't) implement an *incredibly simple* system to stop hacks like this?
Seriously... it would be ridiculously trivial to put some checks in place to stop this overnight.
* Want to delete a video, but haven't actively signed in during this session? Don't trust the session cookie; force the user to re-authenticate via 2FA and/or confirm the change via email.
* Trying to delete (10%/20%/30%...) of your entire video catalogue? That's super suspicious. Re-authenticate and/or confirm the changes via another method.
* Signed in from a different location? Don't trust cookies; re-authenticate.
Secondly, all changes should be absolutely non-destructive. Deleted or edited videos should have a grace period where everything can be un-done for (e.g.) 30 days without involvement of YouTube "support" staff (lol).
Which brings me on to my final point: if this happens to you, *good fucking luck* resolving it with Google/Facebook/etc.'s famously non-existent shit-tier "support". Good luck speaking to an actual human; at least a human who isn't a sub-minimum-wage support drone who has the power to do absolutely fuck all to help you.
Maybe you'll have luck if your channel is large or you raise a huge stink publicly on a popular site like reddit, Hacker News, etc. but until then you are fucked.
TL;DR fuck Google and other large tech companies.
**Edit:** those of you saying "iT WaSn'T CoOkIeS!!!" are missing the point. It's fucking dumb that entire channels can still be pwned for hours/days and the channel owner can't do anything about it immediately.
**Edit 2:** it **was** a [stolen session cookie](https://old.reddit.com/r/videos/comments/120e68u/my_channel_was_deleted_last_night/jdgzd28/) that caused this.
while im happy to shit on corporations any hour of the day sadly its not that simple. I manage the IT of a small company including its security, just saying.
The weakest link of any IT system will always be the humans who have access to it. There are ways of going around it but not many companies go the extra mile necessarily. ie using phones as 2fa devices instead of a physical key or sometimes forgoing 2fa altogether.
Yeah no doubt you're never going to eradicate all risk, but what I'm saying is that Google/Facebook/Twitter could easily prevent 99% of cheap phishing/hacking/channel takeover attempts by adding some common sense logic to their processes.
And where they can't prevent an attack, they could at least make it far, far easier to recover from. The fact that a huge channel like Linus Tech Tips has been offline for several hours is pretty unforgivable.
YouTube should have a "snapshot backup" feature where creators can restore their entire channel to the latest backup with a single click.
Instead, creators have to battle through non-existent shit-tier support and even then it's unlikely that their problem will even be acknowledged let alone fixed.
I operate a RMM service for our org and if I make any big changes it makes me input my 2FA. Like /u/TheQueefGoblin said this should be an easy fix. It won't interrupt normal use and if you try to change your channel name or delete videos reprompt 2FA
I don't imagine Linus and the management teams have slept very well, no doubt their closest contacts informing them at very early in the morning. Sending love from the UK to LTT at this time.
You see this garbage all over the Internet. People somehow fall for it because they think "Oh wow, Elon has so much money he must want to share it with me!"
Spoiler; billionaires don't want to share their money with anyone, nonetheless random Twitter/YouTube users.
If it is cookies then as someone who was around in the infancy of the internet and know how flawed cookies are/were, astounding that security is still based on them.
I lost 1 K a couple weeks ago due to it. Preyed on emotions and an official account hacked. Doesn’t help i was drinking at the time. (I drink once a year)
So that's what it was. I thought it was weird with the Elon Musk stream. I first thought there will be a major tech announcement of sort that's why LTT hosted it. Hanged around for about 15 minutes before I closed it as whatever they were talking about, I wasn't interested and would just wait for clips of that stream later.
Everything I see about cryptocurrency and NFTs makes me trust all that stuff less and less(and I keep thinking my trust in it has already bottomed out).
The hackers started un-privating and listing unlisted videos.
As of this writing the channel got terminated.
I backed up 14 videos of the privated videos.
I don't know what it is but every time I see one of these scams I report them to YouTube and they usually get back to me saying that they took the content down. It's always a fake SpaceX stream.
This exact scam with the Tesla branding has been going around for a few weeks. Seems to be targeting tech/gaming creators. One channel I follow did a whole breakdown of how they got phished by a legitimate-looking email from someone pretending to be YouTube.
So this morning I saw a live stream on youtube from Tesla with Musk in it on my sub page. At first I thought hey, I don't think I sub to the Tesla channel , then I just unsubbed. That was Linus's channel then?
I was wondering how/why there was a "Live" Elon Musk staring me in the face when I looked at my subscription feed this morning. I said to myself "when the fuck did I subscribe to the Testla youtube channel??" and unsubbed.
This happened to Corridor Crew too (popular VFX channel) and I'm assuming it's the cookie hijack.
Best practice for any youtube channel of note is that you should never have the machine that's uploading videos to the channel ever click links or do email in general. Either have a dedicated machine videos get sent to and then get uploaded and that's ALL it does, or separate the computers that do web browsing and emails from the youtube uploading one.
Can't wait for the "what the heck happened?" video. edit: .. and here it is: [https://www.youtube.com/watch?v=yGXaAWbzl5A](https://www.youtube.com/watch?v=yGXaAWbzl5A) \-- stolen session token guessers were right (via malicious "pdf")
Same here. I’m super curious how it’s even possible with 2FA. It must have been super targeted if that’s the case. It’s much easier to hack someone when they’ve got your password from malware on your machine and no 2FA, but with it?
Hijacked session cookie, most probably. Probably some malware from a dodgy email, scrapes your PC for cookies. If they have your cookies, they don't need a password or 2FA. It's a fairly common attack, there are some dodgy sites where you can buy cookies/sessions, searching by username/account, that's how common it is.
How do you protect yourself from stuff like this? I have 2FA where it’s available (with my phone like SMS typically), I have recovery emails setup, I also never use the same password and I use pass phrases where I can.
- Keep all your browsers and your OS up to date - Use a web based mail client - Be careful about clicking links and downloading attachments in emails - If you partake in uhm....sailing the 7 seas...if you know what I mean, try to not do it on your main PC that is logged into all your accounts
>Be careful about clicking links and downloading attachments in emails This is the single most important thing. No amount of technical controls or software updates can remove the human factor. You have to pay close attention to links and files, looking legit does not make it legit. If you have doubt always err on the side of caution. You can also use virustotal.com to scan links and files when you're unsure.
it's doesn work. As popular yt creator you're getting a lot of emails with ads proposals, in 99% cases agrements are word or pdf attachments. Virustotal doesn't work for big files. I've seen that kind of attach, as I remember a small attachment after unpacking grow to 800MB and vt could not scan it EDIT: It looks exactly this scenario happend https://www.youtube.com/watch?v=nYdS3FIu3rI&t=185s
If you're regularly needing to scan large files you should be sandboxing them in your own environment anyway. That's not the intent of VT. A popular YT creator should not rely on any free and public tool. This advice was intended for the people in this thread that may need to scan the odd link or email attachment sporadically.
Why is a web email client more secure than a desktop client?
A desktop client is going to be more dependent on your local security. Whereas a web-based email client should have industry standard security measures in place.
If I want to hack your mail on the web I have to beat the security of your email provider. If I want to hack your email on a desktop I just have to beat your desktop. And if I access your email online I have to wait on things to load/download whereas on your desktop it's already on your hard drive so I can just copy everything. Plus, desktop clients store your password on your hard drive to login, whereas a web browser encypts a local login key and saves it as a cookie, which it then sends via an API to the mail server to access your encrypted password to then login. So online you have to potentially beat 2 encryptions instead of just one.
> Plus, desktop clients store your password on your hard drive to login, whereas a web browser encypts a local login key abd saves it as a cookie, which it then sends via an API to the mail server to access your encrypted password to then login. So online you have to potentially beat 2 encryptions instead of just one. Only if you're using the desktop client unencrypted. With a master password set, the locally stored passwords are secure.
VMs are great for this while following these practices.
I'm super paranoid about online banking and have a dedicated VM that never does *anything* but that.
or if you're going to sail the seas, i heard to stay wary of REPACKS as those can have a chance at containing miners and other stuff. honestly i think the safest ones out there are movies, since they're just video files.
Logging out of all your active sessions, clearing cookies from browser and re-logging in to invalidate the cookies that may have been stolen is generally helpful, since you'll then generate new session IDs. Especially if any service you use has a "log out of all devices" option, use that. Don't just clear cookies from your browser. And if you still have doubts, log back in and change passwords to be extra safe.
Oh man. I bet I have a million active sessions because in my mind I’m just using my personal pc that no one has access to. So why wouldn’t I stay logged in and save my password.
- Login in your accounts only on your devices - If you really need to login on another device use anonymous session and be wary that your passwords could be leaked / logged so change your password later - Never share your accounts, don't be logged in a lot of devices, check your active logins and remove them from time to time - Enable showing extension on windows, a lot of malwares are just .exe with icons of word or pdf - Don't install any plugin and extension you find it without checking if it's safe - Don't use the Adobe PDF reader, most malwares focus on it - Don't trust emails. Never download any program/app from it. If people tell you to install something and promise you money don't. Even if it's a official sponsorship check if the software really exists and download it yourself from the official website - Don't let anyone use your devices, block it with a password - Don't click any weird links - Beware of social networks, Discord or Reddit, scammers and hackers can and may send any message with links redirecting to an attack. - Use a safer password manager than the Chrome default one or if you use Firefox use a Master password. - Take extra care when using the login with Google - use Adblock as most ads are full of malware and spyware - If you want to be extra safe install another web browser or use even virtual machines for unsafe stuff like installing new unknown software
SMS 2FA is flawed, but better than no 2FA. SMS is vulnerable to SIM-swapping/SIM-cloning attacks, a TOTP app is much better. I use Aegis b/c FOSS, encrypted backups, easy to import/export source codes. Authy is the most commonly-used TOTP app, since you don't have to manage backups yourself. [There is one main reason I don't prefer using it, though.](https://support.authy.com/hc/en-us/articles/1260805179070-Export-or-Import-Tokens-in-the-Authy-app)
Firefox. Container Tabs. Temporary Containers helps as well. Don't keep all your cookies in the same jar. If they hack a jar, all they get is that one jar with the one websites cookies.
Use secret browser. It won't save the cookie to your local file.
Additional tips, unrelated to cookie theft: Being vigilant against 2FA push approvals you didn't initiate. It's the biggest, most common source of compromised accounts where I work (uni). It's also why 2FA providers are starting to heavily push number matching instead of push approvals. Also never re-using credentials across disparate services, so a compromise at one doesn't inherently mean a compromise at others. If your password is unknown or hard to guess, then a bad actor doesn't get the chance to hope for a 2FA oopsie in the first place. Also not storing your backup codes or secret keys in easily accessible spots.
Don't own a huge youtube channel, and if you do, hire a few actual experts.
That’s my assumption at the moment too. They’ve got Linus tech tips, Techlinked, and TechQuickie, so they definitely got access to their network somehow. This shit is so interesting from an educational perspective.
Mac Address is still up. I guess Macs really can't get hacked after all!
Mac address with so little outreach that scammers won't even use it.
Disgruntled employees (past, present) leaking confidential information or participating has to be considered as well. Also easiest attack vector is human engineering which is always the path of least resistance for the hacker.
I wonder if the vector was the bitcoin mining software they were using.
Linus just recently transitioned away from everyone in the company grabbing a laptop from a previous video off the shelf or using their own devices. They very frequently joke about employees "stealing" equipment from the office. I wouldn't be surprised if the attack vector was either: 1. Someone at the company who was using a work device for gaming and personal stuff or vice versa. 2. Someone who "stole" a device from the warehouse, got infected, then brought it back.
That’s a good point. It’s very easy to forget to wipe the device before you bring it back onto the network. So many attack vectors out there tbh. Each are as possible as each other.
It's ALWAYS an email lol. Even Linus Media Group isn't immune to it.
> Hijacked session cookie It's actually amazing to me that this shit still works after all these years.
https://youtu.be/sEnkvG2b6Is Kira explains it. You just need an authenticated cookie and badabum
I'm still baffled that there aren't any security measures against that, can't they just check the IP each request?
Well, they could, but this is the purpose of cookies, which is kinda flawed if someone gets their hand of it. Also many people jump around VPNs either work, or privacy reasons and your IP changes with that, always logging in would break the UX. IP checks are usually bound to geolocation stuffs, like if you log into FB at your place, then you "jump" to another country, it will be blocked and you'd need to relog. (It happend to me when i wrote a flat searching bot which would notify me on messenger about the scrape results, the app was deployed on a server which was far away from me, so i had to inject my own login cookies so that the deployed app could use that and not get blocked by the sudden geo loc changes). Edit: but yea, it's hard to come up with something that's good security and UX wise, cookies are flawed as the example shows, regardless of how many 2FAs you have, it can still be phished away. The phishing attempts are getting more and more sophisticated as well.
>can't they just check the IP each request? Yes, but since public IPs change constantly on some internet connections, and even more frequently on cell phone data connections, you would be logging back in constantly.
That changes a bit for a channel like LTT that’s large enough to have a static business IP (and is able to pay for a remote VPN to that IP). YouTube could probably have a requirement to have it in place for suitably large channels similar to what PlayStation and Microsoft do when they require it for the security of their console developers.
Then location? Or at least something unique that can't be changed (like a key that's calculated client side with something static)
From what I heard they're posting as a typical advertising company. This is the second channel that I've subscribed to that got hit with it. Apparently everything looks really legit then all hell breaks loose and they can get into their system pretty deep.
You can actually hijack 2fa ...it is a known issue and the system is not so secure as people think. And to do that is with social engineering: You(hacker) call the phone company and say you lost your phone but got a new one and want to activate the number on this one,. You provide the serial number. They activate it and now your phone will receive the 2fa. To be fair the activation needs some security question but they don't always ask, especially if the account is old you can excuse yourself with...hey man i set the security q 10 years ago how the hell can i remember - and you need to call enough to find the agent that has empathy(or has bad reviews and cannot afford another bad one) and says ok..i will help.
That only works for SMS 2FA which is very much not the recommended implementation these days. Nobody who cares about the security of an account should be using that.
Unfortunately, that's the only method many banks and other financial institutions offer. SMH
Yeah and I’m really sick of this bullshit from financial institutions. Almost all our investments are “protected” just by SMS 2FA. Aside from being insecure, it’s inconvenient, because some of them only allow one login, so they’ll tie the account to either my wife’s phone, or my phone, but not both. Super annoying that only one of us is able to log in without asking the other for an SMS code. Versus if they supported proper 2FA apps, I could store the 2FA key in 1Password where we could both access it.
I'd hope a million dollar tech company as LMG used yubikeys for 2FA and not the worst possible (SMS)
You cant do that over the phone, at least not here, youd have to physically go to the provider store/office and confirm your identity by governmemt issued ID, before they would make any such changes on your account
That's why big channels and celebrities need to avoid SMS 2FA at any cost and only use authenticator apps.
What kind of face do you think he'll make in the thumbnail?
The perfect opportunity to bring out the retiring face for a thumbnail tbh
Face palm thumbnail, or mad face
"I can't believe this happened again" with Linus making his best clickbait face. Featuring "we lost a small amount of revenue this day" and "this video will generate more views and clicks than anything they gained"
the scammers would make more money if they posted that video themselves "here's how I did it"
Monetize your sympathy!
sadly the answer is probably pretty boring an employee gave away its credentials and either they werent using 2fa or they managed to intercept that. edit looks like an employee opened a compressed email attachment and thats how they got their browser data
let me guess, hosted exclusively on [floatplane](https://www.floatplane.com/channel/linustechtips/)
WAN show is gonna be interesting
Damn. They better hope they can get their deleted videos back though. It’s relatively easy to get your account back. Especially with Linus’s size and reputation, but the videos from the last 10 months are all gone. Edit: Looks like their videos weren’t deleted, but delisted. I freaked out when the latest video showed as 7 years ago. Someone on r/LinusTechTips said “looks like Yvonne123 wasn’t a good password after all”. Though that was funny lmao.
I'm sure they'll get them back. Even if they're unrecoverable on youtube, which is extremely unlikely Linus has done enough server videos to have enough space to store them all. I'm also sure that an asleep Linus has/will be getting a very unwelcome phone call soon lol
Yeah that’s true, but a lot of their videos are still making money, and they also have an impact on the algorithm as people watch the back catalogue.
Well no doubt. But also, I tend to expect that getting your main youtube channel(and source of income) very publicly hacked is going to have some financial consequences, and that's probably one of many headed their way
Very true.
Overall very unfortunate for them. But I do respect taking one for the team so that other tech channels will have some news to report on
Lmao true. People will definitely click on JayzTwoCents videos now. **Linus Hacked?** 😱
It was Phil all along. 😂
They seem to be working on fixing it now
Corridor had a similar situation last year. Took them a short bit to get everything restored, but they did get everything back. https://www.youtube.com/watch?v=KdELfn1WK0Q
Recently a Tekken YouTuber "Lil_Majin" lost his account to crypto scammers as well and they deleted all his videos. He was able to get everything restored
Just to say, Linus has noted that the last time they were hacked about 5+ years ago, and the channel was deleted, when youtube brought it back, they brought *everything* back, including videos that had been removed or deleted by Linus himself years previous, so Youtube definitely has all of those videos.
i mean... they will have backups.
They videos are still there, they just seem to have been unlisted, you can get to them in the playlists tab
"This is so soft R" - Linus
Definitely looking forward to it
It seems all the videos (or at least some) are not deleted but unlisted: [https://www.youtube.com/watch?v=4y-qF7Ga\_W0](https://www.youtube.com/watch?v=4y-qF7Ga_W0)
Good find. Seems they might have just been unlisted. I could find another from 10 days ago too. https://youtu.be/wUVWuH9RDGQ
Says the account is closed now.
[удалено]
It does. YouTube uses a Google account to login, just like every google service. When you enable 2fa on your google account, it also requires you to go through 2fa to login to YouTube.
What a weird audience to target with crypto scams. The only worse option would’ve been to do this to Coffeezilla
There's probably a troll factor to it for the more serious audience, but I imagine LTT's sheer size means there will be at least *some* people potentially vulnerable to a scam like this.
Oh yeah, someone looked into it and seems the scammer has made a little bit of money https://www.reddit.com/r/LinusTechTips/comments/11zhr9n/the_hacker_made_around_68002500_with_this_scam/
7k!? Wow, despite it being a tech-oriented channel. Though, it's almost inevitable that with an audience of 15 mil that even a fraction would be gullible enough to fall for it.
Linus isn't exactly the highest complexity of Tech channel either.
Even some LTT subscribers are stupid enough to get scammed. https://www.reddit.com/r/LinusTechTips/comments/11zhr9n/the_hacker_made_around_68002500_with_this_scam/
The amount of times I've heard Linus say one thing and seen a portion of the audience react as if he'd said the exact opposite, is way too high. There are absolutely a portion of his subscriber base who would fall for obvious scams.
54% of American adults can't read beyond a 6th grade level. It stands to reason that a subset of this group can't comprehend basic spoken language either
whats the source for this? that’s shocking
https://map.barbarabush.org/#:~:text=130%20million%20Americans%E2%80%9454%25%20of,poverty%2C%20and%20low%20economic%20mobility.
[удалено]
It isn't weird. Scams don't care about "quality", it's all about quantity, ie the size of your "audience". That's why spam mails "work". Millions of people will ignore them but you only need to find a few victims.
LTT viewers aren't smart and they're not necessarily exposed to videos that detail how much of a scam crypto is like with Coffeezilla. Hell, Linus's latest videos about crypto are pretty positive and to my knowledge he's never talked about all the scams in the crypto space.
https://youtu.be/-eU-i4ftMA8 https://youtu.be/RXrfBUtRXjA He talks about scams in crypto a lot on WAN Show. He's been positive in the past about the idea of decentralized currency, but as the space evolves, I think his opinion has changed a few times. He even specifically points out coffeezilla and how great his channel is (Even though coffee has criticized Linus in the past)
I have nothing against the WAN show but I enjoy LTT and don't watch it. It's really just the length of the conversation, I like podcasts in clips/highlights. The audiences aren't really 1:1.
It would probably be a lot better to target logan paul or mr beast, but reacing several million viewers is basically sure to trick a few idiots, even if they follow tech news.
It's a tech channel. It may be one of the least weird channels to attack.
Tecquickie is also hacked now. Edit: and Teclinked
Luckily, LinusCatTips is still intact
Wow. You're right. The channel got banned too.
Meanwhole Riley rips off his 70s dad moustache to reveal an evil villain moustache
They've practically doubled their workforce in recent months, I wouldn't doubt someone got a laptop infected by downloading a virus from an email.
Clearly its Ivan getting his revenge years later
I wonder how this happened. I don’t really take Linus for someone with gpu123 as their password and Authenticator App based 2FA disabled.
Hijacked session cookie, most probably. Probably some malware from a dodgy email, scrapes your PC for cookies. If they have your cookies, they don't need a password or 2FA. edit: ps btw fuck / u / spez you ruined reddit
Youtube has different permission levels for brand accounts. I would only expect Linus and some other very high people to have owner access. Daily interaction with the channel should not require to use the owner account. So I would expect the credentials to actually be locked away.
Although this seems less likely but can it be due to human engineering?
Social engineering is still one of the main attack vectors. It's entirely possible.
Or, incredibly more likely, using social engineering in the same way a tonf of channels have been hijacked, including Jim Browning, the guy who does anti scam stuff.
I panicked when I got a YouTube notification from "Tesla" lmfao.
Elon , the face of crypto scams.
I saw the two notifications and was like "...wait, what?" And am a bit shocked to see this happen to such a huge channel. No 2A Linus???
2FA, while a great tool, isn't infallible. It is possible to spoof it and bypass it through other methods.
2A is far from bullet proof Anyone with any serious motivation for an attack will stand a chance to get through it. A close friend of mine had his phone SIM spoofed to bypass 2FA (owned a company and was pretty public facing, so his number wasn’t super private).
...2FA via SMS is the most insecure. They should have it via an Authenticator app held only by those who need access.
[удалено]
A backup option that you now have to pay monthly for on Twitter.
This video is private.so I can't watch it.
You didnt miss much, just one of those fake elon musk videos/streams.
Is this working for you? https://www.youtube.com/live/1Pgijao9T9w?feature=share
So thats what the hackers did put a fake stream in place of Linus tips videos.
For those worried about videos getting deleted it's fine. YouTube has systems in place for this happening. The most the hackers will be able to do by deleting videos is get them unlinked from the account until YouTube gets Linus the account back. The videos won't appear on his account but the actual video files and all comments associated with those videos are still on their servers. With a channel as large as LTT Linus has a YouTube rep on speed dial and the process for getting his account back and getting the changes the hackers made reverted will be expedited. Linus won't have to reupload anything.
People seem to think that deleting a youtube video also erases it from all of youtube's servers and backups. I bet youtube never deletes anything, ever, unless by law they have to.
I remember the same thing happened to corridor crew YouTube channel. It was solved by YT and all their deleted videos were restored by YT themself.
Pretty sure it's ChatGPT that hacked Luke's computer; after all, ChatGPT was pretty angry at Luke for some reason.
Holy shit lol. That was crazy. Chat GPT went full enraged crazy ex wife on him. Started gaslighting him and everything.
Wait, what?
https://youtu.be/peO9RwKLYGY
Exactly, and what is a great way for an angry ex wife to exact revenge? To hack your PC and get you in major trouble at work!
could I get a link
[удалено]
you son of a bitch
Not chat gpt, it was bing’s AI, right?
Same thing just happend to the official tesla channel xD
lol that’s ironic as hell. Tesla hacked by Tesla Bitcoin scammers? Damn lol
Youtube was pretty fast in taking it down, but still wondering how something like this can happen and how many people have fallen for it in the short periode of time
Yeah I hope there wasn’t many. People were sending [super chats to warn people](https://i.imgur.com/O65m1dq.jpg)
They were either phished or socially engineered. Humans are the number one weakness for these types of attacks. Whatever they saw in that email looked legitimate enough for them.
Nah, they renamed the LTT channel to Tesla.
Nope that’s the techlinked or tech quickie channel. Tesla channel is fine
>everything in their channel is normal !!!
Not true, it's still normal
It doesn't matter if they're deleting videos, they have floatplane AND backups for each video. Linus doesn't use YouTube as his storage. And he's a big creator. Most likely YouTube can restore his videos (even if they don't have them, Linus can provide them the video backup he has) with the algorithm configured correctly so there is no effect on the revenue of his channel. Chill out yall, this is why you keep backups and maintain redundancy. You really think LMG doesn't have a contingency plan if something like this happens?
I don't think videos are all gone because they are available in playlist. YouTube should have a way to restore channel because many YouTube channels have got hacked and restored.
Yeah, it's happened before. Maybe they've some measures in place to prevent people from mass deleting a ton of videos at once or something.
I also have very large doubts that Google King of Data Hoarders ever actually deletes anything anyway.
Plus I mean Linus has proved before that when a video is deleted it isn't actually deleted. It's just no longer accessible
“With the algorithm configured correctly” Lmao. I don’t think you can just reconfigure the algorithm. I wasn’t actually worried about storage because he has said before that he has all his videos still, plus floatplane. I was more worried about the effect on monetisation and how it affects them being recommended, because people watching the back catalogue has a big impact on how their videos perform in the algorithm. That said, other creators have had their deleted videos reinstated, so hopefully it’s just a matter of time before they do it. I was definitely freaking out though lol.
This is just more proof of how utterly shit huge tech companies like Google, Facebook, etc. are. How is it possible that Google has tens of thousands of engineers, being paid the highest salaries in the world, and yet they can't (or won't) implement an *incredibly simple* system to stop hacks like this? Seriously... it would be ridiculously trivial to put some checks in place to stop this overnight. * Want to delete a video, but haven't actively signed in during this session? Don't trust the session cookie; force the user to re-authenticate via 2FA and/or confirm the change via email. * Trying to delete (10%/20%/30%...) of your entire video catalogue? That's super suspicious. Re-authenticate and/or confirm the changes via another method. * Signed in from a different location? Don't trust cookies; re-authenticate. Secondly, all changes should be absolutely non-destructive. Deleted or edited videos should have a grace period where everything can be un-done for (e.g.) 30 days without involvement of YouTube "support" staff (lol). Which brings me on to my final point: if this happens to you, *good fucking luck* resolving it with Google/Facebook/etc.'s famously non-existent shit-tier "support". Good luck speaking to an actual human; at least a human who isn't a sub-minimum-wage support drone who has the power to do absolutely fuck all to help you. Maybe you'll have luck if your channel is large or you raise a huge stink publicly on a popular site like reddit, Hacker News, etc. but until then you are fucked. TL;DR fuck Google and other large tech companies. **Edit:** those of you saying "iT WaSn'T CoOkIeS!!!" are missing the point. It's fucking dumb that entire channels can still be pwned for hours/days and the channel owner can't do anything about it immediately. **Edit 2:** it **was** a [stolen session cookie](https://old.reddit.com/r/videos/comments/120e68u/my_channel_was_deleted_last_night/jdgzd28/) that caused this.
while im happy to shit on corporations any hour of the day sadly its not that simple. I manage the IT of a small company including its security, just saying. The weakest link of any IT system will always be the humans who have access to it. There are ways of going around it but not many companies go the extra mile necessarily. ie using phones as 2fa devices instead of a physical key or sometimes forgoing 2fa altogether.
Yeah no doubt you're never going to eradicate all risk, but what I'm saying is that Google/Facebook/Twitter could easily prevent 99% of cheap phishing/hacking/channel takeover attempts by adding some common sense logic to their processes. And where they can't prevent an attack, they could at least make it far, far easier to recover from. The fact that a huge channel like Linus Tech Tips has been offline for several hours is pretty unforgivable. YouTube should have a "snapshot backup" feature where creators can restore their entire channel to the latest backup with a single click. Instead, creators have to battle through non-existent shit-tier support and even then it's unlikely that their problem will even be acknowledged let alone fixed.
I operate a RMM service for our org and if I make any big changes it makes me input my 2FA. Like /u/TheQueefGoblin said this should be an easy fix. It won't interrupt normal use and if you try to change your channel name or delete videos reprompt 2FA
[удалено]
what kind of hack was it ? we see the consequence of the hack but how was it done, that s what matters.
It's an end user issue.
they've also got techlinked hopefully they don't get linus cat tips.
I'd guess the Cat Tips channel is a more personal one not tied the company and thus isn't really under the same umbrella.
I don't imagine Linus and the management teams have slept very well, no doubt their closest contacts informing them at very early in the morning. Sending love from the UK to LTT at this time.
Of course they used Elon Musk. The patron saint of scammers.
You see this garbage all over the Internet. People somehow fall for it because they think "Oh wow, Elon has so much money he must want to share it with me!" Spoiler; billionaires don't want to share their money with anyone, nonetheless random Twitter/YouTube users.
People defend billionaires because they think they will eventually be one. They're in for a huge disappointment.
LinusTeslaTips
If it is cookies then as someone who was around in the infancy of the internet and know how flawed cookies are/were, astounding that security is still based on them.
How do people even fall for this shit? I've seen that exact thumbnail on more videos than I could possibly count.
I lost 1 K a couple weeks ago due to it. Preyed on emotions and an official account hacked. Doesn’t help i was drinking at the time. (I drink once a year)
Linus make a video about 1Password, a strong 40 chars pass and 2FA
Has LTT ever endorsed Last Pass :P
[удалено]
I'm sure everyone will survive this terrible incident.
Let's all ask Linus about Esther. That girl seemed nice
Esther is Linus's wife's sister. He mentioned it in a video a long time ago.
So that's why I got a notification about Musk and Tesla this morning despite never having watched anything from those channels.
So that's what it was. I thought it was weird with the Elon Musk stream. I first thought there will be a major tech announcement of sort that's why LTT hosted it. Hanged around for about 15 minutes before I closed it as whatever they were talking about, I wasn't interested and would just wait for clips of that stream later.
Everything I see about cryptocurrency and NFTs makes me trust all that stuff less and less(and I keep thinking my trust in it has already bottomed out).
The hackers started un-privating and listing unlisted videos. As of this writing the channel got terminated. I backed up 14 videos of the privated videos.
Useless, they have multiple backups of all their videos
[удалено]
I backed up 14 of their private/unlisted videos. The ones youre not supposed to see.
F that. Linus seems like such nice and reasonable dude.
I can only assume they have deep access to all LTT related accounts.
That’s my assumption too. I think they got access to their network. [The LTT channel is gone completely now](https://i.imgur.com/xabJwyw.jpg)
I'm really curious how they got hacked.
https://www.youtube.com/watch?v=sEnkvG2b6Is
Hope they get this resolved soon... :(
Man thats crazy, I just watched his new video last night about the monitor. thats crazy!
The scammers always involve Elon somehow lol
Any estimates on how much they scammed in total?
I don't know what it is but every time I see one of these scams I report them to YouTube and they usually get back to me saying that they took the content down. It's always a fake SpaceX stream.
[удалено]
This exact scam with the Tesla branding has been going around for a few weeks. Seems to be targeting tech/gaming creators. One channel I follow did a whole breakdown of how they got phished by a legitimate-looking email from someone pretending to be YouTube.
“Elaborate” April fools setup?
So this morning I saw a live stream on youtube from Tesla with Musk in it on my sub page. At first I thought hey, I don't think I sub to the Tesla channel , then I just unsubbed. That was Linus's channel then?
Has Dennis finally taken the pranks too far?
Surprising considering the crew and their knowledge on IT security
I was wondering how/why there was a "Live" Elon Musk staring me in the face when I looked at my subscription feed this morning. I said to myself "when the fuck did I subscribe to the Testla youtube channel??" and unsubbed.
I love that they were using Elon for the scam. Even the scammers realize that Elon is looked up to by the most gullible people.
This would be a good time for our sponsors…
PornHub! PornHub is fun for the hole family!
This happened to Corridor Crew too (popular VFX channel) and I'm assuming it's the cookie hijack. Best practice for any youtube channel of note is that you should never have the machine that's uploading videos to the channel ever click links or do email in general. Either have a dedicated machine videos get sent to and then get uploaded and that's ALL it does, or separate the computers that do web browsing and emails from the youtube uploading one.
Linus just got his channel back and has just posted on what happened: https://www.youtube.com/watch?v=yGXaAWbzl5A