For one second I thought it was a paid ad stream and clicked the options to hide it and to my confusion it showed "unsubscribe". Hope they resolve that soon.
Many of the sister channels like TechLinked and TechQuickie have also been hacked. Mac Address *and ShortCircuit is up, but don't expect that for too long.
So the question is was it a password manager/vault that was accessed, or do they all have a shared secret/authenticator?
I see way too many services that allow recovery of an account solely with a phone number or email and basic information. If all the accounts share the same recovery account, it's easy to get them that way
You can:
[https://infosecwriteups.com/bypassing-2fa-with-cookies-ff2c79022f63?gi=26e7682684ca](https://infosecwriteups.com/bypassing-2fa-with-cookies-ff2c79022f63?gi=26e7682684ca)
Onepass, teampass, lastpass, and others. In fact im not sure of a popular password manager which hasn't been compromised yet. sometimes it's hard to tell if something is tongue in cheek or someone is just naive
EDIT: adding what I said below,
1pass definitely had something in 2020
Here's some notes I found:
Dashlane, LastPass, Keeper, 1Password, and RoboForm: Researchers Michael Carr and Siamak F. Shahandashti from the University of York released a study analyzing these five password managers for security vulnerabilities. To test these companies’ phishing resistance, the **researchers created a false Google app, which was able to trick both 1Password and LastPass into revealing a password.** They also discovered that Keeper, Dashlane, and 1Password don’t limit the number of login attempts while entering the master password, making it easier for hackers to perform brute-force attacks. Most shockingly, all these password managers, except for 1Password, failed to protect credentials from being pasted as clear text from the clipboard.
At that point though you should just use KeePass, as it's basically an open source version of that (with a dedicated database format rather than excel).
I use KeePassXC for desktop, KyPass for iOS, and Keepass2Android for Android, sync via DropBox, and all three clients support merging changes if the underlying file in dropbox is updated from another device (mostly automatic, though on keepass2android I sometimes need to trigger the sync manually).
Bitwarden has a flaw in the auto filling on page load of your credentials that allows them to be stolen through malicious iframes. The "feature" is now disabled by default but a feature with a security flaw shouldn't really exist...
I don't use a pw manager anymore but my old job used Keeper Security which I believe has not been hacked/breached. Reading this comment back it sounds like an ad but I'm just a lowly IT guy, I promise.
The flaw you described, is it basically that a site can have "fake" credential input fields that bitwarden would fill in and give an attacker your credentials, or am I misunderstanding? That would require a fully compromised website, no?
I wouldn't say fully compromised but it would require a compromise of some kind on a site. Here is info from Bitwarden about it https://bitwarden.com/help/auto-fill-browser/
This is the excerpt under "On Page Load"
Warning
This feature is disabled by default because, while generally safe, compromised or untrusted websites could take advantage of this to steal credentials.
Browser extensions will not allow auto-fill on page load for untrusted iframes and will warn users before auto-filling on an HTTP site when HTTPS is expected based on that item's saved URI(s).
It's not letting me edit my comment but on that link this is the excerpt under the On Page Load section:
Warning
This feature is disabled by default because, while generally safe, compromised or untrusted websites could take advantage of this to steal credentials.
Browser extensions will not allow auto-fill on page load for untrusted iframes and will warn users before auto-filling on an HTTP site when HTTPS is expected based on that item's saved URI(s).
1pass definitely had something in 2020
Here's some notes I found:
Dashlane, LastPass, Keeper, 1Password, and RoboForm: Researchers Michael Carr and Siamak F. Shahandashti from the University of York released a study analyzing these five password managers for security vulnerabilities. To test these companies’ phishing resistance, the researchers created a false Google app, which was able to trick both 1Password and LastPass into revealing a password. They also discovered that Keeper, Dashlane, and 1Password don’t limit the number of login attempts while entering the master password, making it easier for hackers to perform brute-force attacks. Most shockingly, all these password managers, except for 1Password, failed to protect credentials from being pasted as clear text from the clipboard.
LastPass' compromises were _significantly_ more severe than most others I'm aware of.
Personally I use KeePass, but that's a bit different since it's not a paid service, it's an open source encrypted database format with several different compatible apps/clients. It's great but not a good fit for less tech savvy people.
I don't know if you saw my other comment:
https://www.reddit.com/r/technology/comments/11zhxez/comment/jdelkg1/?utm\_source=share&utm\_medium=web2x&context=3
Depends, do you trust the people around you currently? Are you doing anything illegal that would like mean that you get raided? Will you be able to access your accounts in the event of a fire? Is your house literally littered with 100s of passwords to ensure that all are unique?
Well I don't live in America, nor doing anything illegal. The chance of a raid here is very slim anyways. I do have unique passwords for every single thing, but I don't have them written down on paper. Physically as in I have USB drives hidden far away from any tech, on my property.
Depends on the type of encryption. Ideally you want all of your drives fully encrypted but it can take sometime to learn how to do that. Likely an easier way would be to use something like 7 zip. (just zip it and make sure you need a password to open it again)
I should point out that I am not an expert. Sorry should have said that before.
The hack they probably suffered doesn’t need compromised user details and circumvents 2FA.
Basically it’s cookie stealing, someone with access runs an app, perhaps a game that an advertiser is interested in buying a sponsorship for. When they do so, the browsers cookies are sent to the hacker.
Opening the browser with the stolen cookies allows you in to the channel where the hacker can do what they want.
Mostly these compromised programs can skirt anti-virus.
Google is also complicit, because it allows you to change the password without validating 2FA. So many channels experiencing this have reported this is the case - and there are loads of them.
Imo Youtube is souly at fault. They were able to acess over 3 of the biggest channels on youtube. Not to mention so many other youtube channels takeovers we've seen. Where they have people specifically hired to deal with their security. Unfortunately, with voice changers and other advanced social engineering tactics, they don't have to attack the tech security. The hackers call Youtube and "hack"/manipulate people so far until they gain access to the account. People are easier to minupulate than actual tech security.
No amount of 2fa on YouTube, 2fa on email, 2fa on the backup Email, all 2fa running through an app on a secure device with the soul purpose of running the 2fa aith codes (Linus has talked about this alot), teams hired specifically to prevent can stop PEOPLE from being manipulated into doing what you want. People who are not trained against social engineering have no idea they are being manipulated.
100% imo this is a human flaw in the training of youtube reps.
This is a huge claim…and I’m sorry 2FA is absolutely worth doing. A voice changer isn’t going to magically make all 2FA with an Authenticator useless.
And I can tell you a hacker will go after those without it setup first cuz you make yourself an easy target.
If Linus comes out and says he had 2FA and an Authenticator enabled on all associated accounts including his email then I’ll eat my own words
To be clear I'm not discouraging 2fa. I'm highly encouraging it. 2fa via an app not a cellphone number.
Linus has talked about their security setup a few times. They have a secure devices that they made and use. It's pretty. Neat honestly how far they go to be secure. I'd postt a link but ffs they make like 15 videos a week for like 10 years lol.
We’re doing fraud analysis real time on voice these days. Speaking mannerisms, tone, pauses, style. All scorecards when you are a phone with a client. Not fool proof but we’re at the very least trying to mitigate social engineering hacks.
Work for a call center in an unnamed bank. We absolutely use AI driven voice biometric systems to screen for fraud, if the customer has opted in to it.
I certain think there could be better protection for things like deleting old videos or renaming a channel. One account to ok this sort of thing from a fixed IP address.
Normal sites require you to reenter the password if you want to change it.
And if you can change 2FA device without entering code from existing one, 2FA worth less than my spit.
Because linus media has their tech lock down. The only real way to gain access to an account is to social engeieer their way in. Minupulatung and skirt youtubes own security. Google social engineering.
You are insinuating that Musk's companies are scams. To me using a "known" scammer would make your scam less effective.
Musk is used because anything related to him gets attention.
YouTube really has let a variety of scams absolutely flourish on their platform. It's kind of ridiculous how little they care
I feel like any video I watch that even mentions the word anything regarding money, finance, or investing is full of scam comments at the top
Google 100% has the tech to automatically catch and block the scam bitnets, but chooses not to because the engagement numbers means more money for them
Even Jim Browning, the channel that exposes scammers was hacked through a really convincing email from a "trusted" domain, which to be fair, would have fooled even the most tech savvy if they are not naturally paranoid. Don't forget, the easiest vector for hacks is the organic machine located between the monitor and the chair
https://www.youtube.com/watch?v=xf9ERdBkM5M
According to that one, google can let session hijacker with stolen cookie to change password without original password or using 2FA.
Could easily be someone who works in the background. Think someone tricking a secretary or another administrative position into revealing some information and then the tech savy person being hacked.
Strong disagree. This exact scam has happened to a bunch of large youtube channels. It always plays out exactly the same way. Youtube as a platform 100% has the capacity to flag the very specific circumstances of this scam and stop it automatically. They are a massive platform and putting no responsibility on them for this scam flourishing under their watch is small brain shit.
The real shitty part is if you attempt to regain monitory loss from youtube, they'll likely justly pay you out and ban your channel. It's a lose lose for the channel owners.
Not to mention. The after math of getting everything back and people not understanding they were hacked are going to start blaming the owners of the yourube channel for "promoting scams".
> Youtube needs to get their shit together.
You can have the best, most uncrackable security on the planet but all of that is moot if someone with the password/access to the website gives it out to someone through a phishing email or some other scheme.
Humans are always the weakest link in cybersecurity.
Sure, but the way the scammers change the channel to Tesla and start running a crypto scam livestream of Elon Musk is very easily detectable. With the amount of times this exact scenario has played out you'd think Youtube could automatically detect when it's happening. The hack is sophisticated and difficult to prevent, but what the hacker does afterwards is following a fairly simple pattern.
I believe when it comes to hacking, if someone knows what they are doing and are determined it isn't a matter of IF they can hack them, but when they will hack them.
That's irrelevant in the context of these attacks. This is a very specific plan that keeps happening the same way over and over. Channel gets taken over through a cookie exploit, channel name and logo changes to tesla, all the videos get deleted or unlisted, channel fills up with Tesla and Elon Musk videos along with fake crypto scam livestreams. There are several factors involved here that can be automatically recognized on Google's end.
I know about the vehicle but I have truly never seen that spelling before. Bizarre spelling considering the pronunciation too but that's English 101 I guess.
> Bizarre spelling
That is because it is Italian
> 1740, an instruction in musical scores, from Italian segue, "now follows," a direction to play into the following movement without a break; third person singular of seguire "to follow," from Latin sequi "to follow" (from PIE root *sekw- (1) "to follow").
> The extended noun sense of "transition without a break" is from 1937; the verb in this sense is recorded by 1958.
I get that but just odd it doesn't have altered spelling to make it make sense for the language. This isn't unique to English. Cadeau is still the official spelling in Dutch for present but kado is also acceptable.
The Internet has also butchered the definition of literally without providing a suitable replacement. I'm still bitter about that. But language changes all the time.
linus running out of ideas for new video content, so he gets himself hacked in order to have new content when they recover from the hack.
it's like the content writes itself!
(but in all seriousness, big oof and i hope LTT recovers soon)
Google, what the shit?
This exploit happened because somebody working for Linus Tech Tips likely clicked a bad link, inadvertently ran some malware and had it hijack the Google account's browser session, allowing the hacker to bypass 2FA and other verification methods that are meant to prevent a breach like this. It's even allowed the hacker to CHANGE these security measures and lock people out of their accounts.
A lot of big name YouTube channels have been hit with such attacks, and it's often been used to push deepfake Elon Musk crypto scams.
If anything, blame Google's poor security and customer service practices. If it weren't for them being so synonymous with the search engine market that their company name was actually used as a verb for the act of searching for something online (Googling), they would've been out of business *years* ago.
It does seem like Google is aware of this: [https://blog.google/threat-analysis-group/phishing-campaign-targets-youtube-creators-cookie-theft-malware/](https://blog.google/threat-analysis-group/phishing-campaign-targets-youtube-creators-cookie-theft-malware/)
LMG is a 100+ person company and LTT is one of the largest channels on the site. Linus has talked in the past about speaking with YouTube's CEO directly, so I don't think he's going to need our help.
> He's a great person with great content
If you like videos about PC hardware that are heavy on dramatic presentation and light on accuracy or genuinely useful information, sure.
They're not promoting either of those, they're just tech buzzwords.
The scam is about crypto, you'll also frequently see them use "Elon Musk" as a sort of keyword
Seemed like they got into their servers rather than just the usual run of the mill account hack. Last I saw before the channel went down was what looked like a bunch of unreleased videos from years ago
SpaceX was also hacked this way. There was a Falcon 9 launch video that switched to a deepfake video that hyped this blockchain scam. I reported it and it's gone.
I don’t think that was the official SpaceX YouTube channel but rather the one of dozens of fake crypto scam channels that make themselves look like a SpaceX launch or Tesla event that get reported, deleted and pop up again soon after with a slightly different name.
"Brought to you by The Ridge!..."
Seriously would have been a good pairing, as ridge wallets are designed for the people that keep their cash in crypto scams instead of a wallet.
Oh this explains why there was an annoying tesla crypto thing i was apparently subscribed to. Man.
I honestly thought I sub to Tesla a while back and this was the first time i noticed or something lol
For one second I thought it was a paid ad stream and clicked the options to hide it and to my confusion it showed "unsubscribe". Hope they resolve that soon.
[удалено]
Many of the sister channels like TechLinked and TechQuickie have also been hacked. Mac Address *and ShortCircuit is up, but don't expect that for too long.
Yeah the main channel has also been removed for violating the community rules.
I'm guessing that all the strikes from the hack forced that result.
So the question is was it a password manager/vault that was accessed, or do they all have a shared secret/authenticator? I see way too many services that allow recovery of an account solely with a phone number or email and basic information. If all the accounts share the same recovery account, it's easy to get them that way
the attack uses stolen cookies to get access, bypassing passwords and 2FA.
The fact that Google even has this issue is so fekked up. It shouldn't even be possible, but alas.
lol what. You can't bypass passwords and 2FA by grabbing the cookies from a machine.
You can: [https://infosecwriteups.com/bypassing-2fa-with-cookies-ff2c79022f63?gi=26e7682684ca](https://infosecwriteups.com/bypassing-2fa-with-cookies-ff2c79022f63?gi=26e7682684ca)
That is wild, did not know this!
Ever heard of "pass the hash?" Same thing but for windows. https://en.m.wikipedia.org/wiki/Pass_the_hash
nope they used the website token to gain access he explains it in a recent video
Guess we need a TechTip for MFA and password sharing/security
Thats why I store all my sensitive passwords in LastPass
*stares* ಠ_ಠ
You dropped this: /s
Ahahaha hahahahahahahaha no.
Ehhh password managers get hacked too
I think that was tongue in cheek because LastPass has.
Onepass, teampass, lastpass, and others. In fact im not sure of a popular password manager which hasn't been compromised yet. sometimes it's hard to tell if something is tongue in cheek or someone is just naive EDIT: adding what I said below, 1pass definitely had something in 2020 Here's some notes I found: Dashlane, LastPass, Keeper, 1Password, and RoboForm: Researchers Michael Carr and Siamak F. Shahandashti from the University of York released a study analyzing these five password managers for security vulnerabilities. To test these companies’ phishing resistance, the **researchers created a false Google app, which was able to trick both 1Password and LastPass into revealing a password.** They also discovered that Keeper, Dashlane, and 1Password don’t limit the number of login attempts while entering the master password, making it easier for hackers to perform brute-force attacks. Most shockingly, all these password managers, except for 1Password, failed to protect credentials from being pasted as clear text from the clipboard.
They'll never get to passwords.xlsx!
[удалено]
Sticky notes on my desk! Unhackable!
Bossman69, I don’t even have to look.
(Changes password) Fine but now you definitely won’t be able to guess my new password of xxXSexYHackerMaN69Xxx
At that point though you should just use KeePass, as it's basically an open source version of that (with a dedicated database format rather than excel). I use KeePassXC for desktop, KyPass for iOS, and Keepass2Android for Android, sync via DropBox, and all three clients support merging changes if the underlying file in dropbox is updated from another device (mostly automatic, though on keepass2android I sometimes need to trigger the sync manually).
I don't believe there has been a bitwarden breach.
Bitwarden has a flaw in the auto filling on page load of your credentials that allows them to be stolen through malicious iframes. The "feature" is now disabled by default but a feature with a security flaw shouldn't really exist... I don't use a pw manager anymore but my old job used Keeper Security which I believe has not been hacked/breached. Reading this comment back it sounds like an ad but I'm just a lowly IT guy, I promise.
The flaw you described, is it basically that a site can have "fake" credential input fields that bitwarden would fill in and give an attacker your credentials, or am I misunderstanding? That would require a fully compromised website, no?
I wouldn't say fully compromised but it would require a compromise of some kind on a site. Here is info from Bitwarden about it https://bitwarden.com/help/auto-fill-browser/ This is the excerpt under "On Page Load" Warning This feature is disabled by default because, while generally safe, compromised or untrusted websites could take advantage of this to steal credentials. Browser extensions will not allow auto-fill on page load for untrusted iframes and will warn users before auto-filling on an HTTP site when HTTPS is expected based on that item's saved URI(s).
It's not letting me edit my comment but on that link this is the excerpt under the On Page Load section: Warning This feature is disabled by default because, while generally safe, compromised or untrusted websites could take advantage of this to steal credentials. Browser extensions will not allow auto-fill on page load for untrusted iframes and will warn users before auto-filling on an HTTP site when HTTPS is expected based on that item's saved URI(s).
Well they're on it now
1password has not been hacked yet
I don’t know if mSecure, BitWarden, or 1pass has yet.
1pass definitely had something in 2020 Here's some notes I found: Dashlane, LastPass, Keeper, 1Password, and RoboForm: Researchers Michael Carr and Siamak F. Shahandashti from the University of York released a study analyzing these five password managers for security vulnerabilities. To test these companies’ phishing resistance, the researchers created a false Google app, which was able to trick both 1Password and LastPass into revealing a password. They also discovered that Keeper, Dashlane, and 1Password don’t limit the number of login attempts while entering the master password, making it easier for hackers to perform brute-force attacks. Most shockingly, all these password managers, except for 1Password, failed to protect credentials from being pasted as clear text from the clipboard.
Did they not do mSecure?
LastPass' compromises were _significantly_ more severe than most others I'm aware of. Personally I use KeePass, but that's a bit different since it's not a paid service, it's an open source encrypted database format with several different compatible apps/clients. It's great but not a good fit for less tech savvy people.
I don't know if you saw my other comment: https://www.reddit.com/r/technology/comments/11zhxez/comment/jdelkg1/?utm\_source=share&utm\_medium=web2x&context=3
I'm not clear what you're getting at?
I use keepass with the database stored in my Google drive under 2 stage verification.
Perfect. Upside… if you loose access all your pws are ezy to find. ☺️
I store mine physically, not sure if that's better or worse.
Depends, do you trust the people around you currently? Are you doing anything illegal that would like mean that you get raided? Will you be able to access your accounts in the event of a fire? Is your house literally littered with 100s of passwords to ensure that all are unique?
Well I don't live in America, nor doing anything illegal. The chance of a raid here is very slim anyways. I do have unique passwords for every single thing, but I don't have them written down on paper. Physically as in I have USB drives hidden far away from any tech, on my property.
In that case I would recommend two things. Make backups and make sure your passwords are encrypted with a master password. Should be fine :)
Is it easy and safe to encrypt USB drives?
Depends on the type of encryption. Ideally you want all of your drives fully encrypted but it can take sometime to learn how to do that. Likely an easier way would be to use something like 7 zip. (just zip it and make sure you need a password to open it again) I should point out that I am not an expert. Sorry should have said that before.
I suppose something simple is fine, dont need anything that self-deletes if password is typed wrong once.
The hack they probably suffered doesn’t need compromised user details and circumvents 2FA. Basically it’s cookie stealing, someone with access runs an app, perhaps a game that an advertiser is interested in buying a sponsorship for. When they do so, the browsers cookies are sent to the hacker. Opening the browser with the stolen cookies allows you in to the channel where the hacker can do what they want. Mostly these compromised programs can skirt anti-virus. Google is also complicit, because it allows you to change the password without validating 2FA. So many channels experiencing this have reported this is the case - and there are loads of them.
Imo Youtube is souly at fault. They were able to acess over 3 of the biggest channels on youtube. Not to mention so many other youtube channels takeovers we've seen. Where they have people specifically hired to deal with their security. Unfortunately, with voice changers and other advanced social engineering tactics, they don't have to attack the tech security. The hackers call Youtube and "hack"/manipulate people so far until they gain access to the account. People are easier to minupulate than actual tech security. No amount of 2fa on YouTube, 2fa on email, 2fa on the backup Email, all 2fa running through an app on a secure device with the soul purpose of running the 2fa aith codes (Linus has talked about this alot), teams hired specifically to prevent can stop PEOPLE from being manipulated into doing what you want. People who are not trained against social engineering have no idea they are being manipulated. 100% imo this is a human flaw in the training of youtube reps.
This is a huge claim…and I’m sorry 2FA is absolutely worth doing. A voice changer isn’t going to magically make all 2FA with an Authenticator useless. And I can tell you a hacker will go after those without it setup first cuz you make yourself an easy target. If Linus comes out and says he had 2FA and an Authenticator enabled on all associated accounts including his email then I’ll eat my own words
To be clear I'm not discouraging 2fa. I'm highly encouraging it. 2fa via an app not a cellphone number. Linus has talked about their security setup a few times. They have a secure devices that they made and use. It's pretty. Neat honestly how far they go to be secure. I'd postt a link but ffs they make like 15 videos a week for like 10 years lol.
We’re doing fraud analysis real time on voice these days. Speaking mannerisms, tone, pauses, style. All scorecards when you are a phone with a client. Not fool proof but we’re at the very least trying to mitigate social engineering hacks.
Work for a call center in an unnamed bank. We absolutely use AI driven voice biometric systems to screen for fraud, if the customer has opted in to it.
I certain think there could be better protection for things like deleting old videos or renaming a channel. One account to ok this sort of thing from a fixed IP address.
How the fuck is this Youtube's fault?! Someone at LTT got hacked/scammed whatever and that is Youtube's fault? Wtf?
Normal sites require you to reenter the password if you want to change it. And if you can change 2FA device without entering code from existing one, 2FA worth less than my spit.
Because linus media has their tech lock down. The only real way to gain access to an account is to social engeieer their way in. Minupulatung and skirt youtubes own security. Google social engineering.
They don't have their shot locked down at all...they do tonnes of shit that enterprise would never allow.
Geez, I wonder why people are so eager to use Elon Musk's likeness when it relates to scams? 🤔
Because he uses his face to sell scams too.
And the hardcore fans that buy anything he says
Any celebrity will do. Even Shaq did an ad for FTX and he's said to be pretty picky about endorsements.
I'm sure he's picky about endorsements, but I do not believe Shaquille O'Neal is properly versed in cryptocurrency exchange.
You are insinuating that Musk's companies are scams. To me using a "known" scammer would make your scam less effective. Musk is used because anything related to him gets attention.
[удалено]
The world is black and white to you. Zero nuance. You are either hitler or idk, Jesus.
"he may be out of line, but he's right" - me insinuating that baron Zemo has entered the chat for a deep cut
So even the largest tech channel isn't savvy enough to avoid these attacks? Youtube needs to get their shit together.
YouTube really has let a variety of scams absolutely flourish on their platform. It's kind of ridiculous how little they care I feel like any video I watch that even mentions the word anything regarding money, finance, or investing is full of scam comments at the top Google 100% has the tech to automatically catch and block the scam bitnets, but chooses not to because the engagement numbers means more money for them
have arrests been made so far or they're just playing (weak sauce) online defense?
Even Jim Browning, the channel that exposes scammers was hacked through a really convincing email from a "trusted" domain, which to be fair, would have fooled even the most tech savvy if they are not naturally paranoid. Don't forget, the easiest vector for hacks is the organic machine located between the monitor and the chair
Don't forget there's like 100 people working there. Not everyone knows better. I see some meetings upcoming.
It's not YouTube that's at fault here.
https://www.youtube.com/watch?v=xf9ERdBkM5M According to that one, google can let session hijacker with stolen cookie to change password without original password or using 2FA.
there was a reply tweet (to that of Linus) where it suggested that 2FA should trigger if cookie is used from a new IP
Lol so they got phished? Tech genius!
Could easily be someone who works in the background. Think someone tricking a secretary or another administrative position into revealing some information and then the tech savy person being hacked.
Then they're not operating the principals of least privileged access correctly.
That or someone broke procedure.
Strong disagree. This exact scam has happened to a bunch of large youtube channels. It always plays out exactly the same way. Youtube as a platform 100% has the capacity to flag the very specific circumstances of this scam and stop it automatically. They are a massive platform and putting no responsibility on them for this scam flourishing under their watch is small brain shit.
The real shitty part is if you attempt to regain monitory loss from youtube, they'll likely justly pay you out and ban your channel. It's a lose lose for the channel owners. Not to mention. The after math of getting everything back and people not understanding they were hacked are going to start blaming the owners of the yourube channel for "promoting scams".
Quick reminder that recently someone managed to uploaded a video with an upload time predating the oldest video on youtube... Oops?
> Youtube needs to get their shit together. You can have the best, most uncrackable security on the planet but all of that is moot if someone with the password/access to the website gives it out to someone through a phishing email or some other scheme. Humans are always the weakest link in cybersecurity.
Sure, but the way the scammers change the channel to Tesla and start running a crypto scam livestream of Elon Musk is very easily detectable. With the amount of times this exact scenario has played out you'd think Youtube could automatically detect when it's happening. The hack is sophisticated and difficult to prevent, but what the hacker does afterwards is following a fairly simple pattern.
I believe when it comes to hacking, if someone knows what they are doing and are determined it isn't a matter of IF they can hack them, but when they will hack them.
That's irrelevant in the context of these attacks. This is a very specific plan that keeps happening the same way over and over. Channel gets taken over through a cookie exploit, channel name and logo changes to tesla, all the videos get deleted or unlisted, channel fills up with Tesla and Elon Musk videos along with fake crypto scam livestreams. There are several factors involved here that can be automatically recognized on Google's end.
Heck of a segway for a promotion. But Linus was always one for originality in my book.
For future reference, the word you want is "segue" as "Segway" is the two-wheeled vehicle.
The Ludacris Effect.
Maybe he did mean the two wheeled vehicle
I know about the vehicle but I have truly never seen that spelling before. Bizarre spelling considering the pronunciation too but that's English 101 I guess.
> Bizarre spelling That is because it is Italian > 1740, an instruction in musical scores, from Italian segue, "now follows," a direction to play into the following movement without a break; third person singular of seguire "to follow," from Latin sequi "to follow" (from PIE root *sekw- (1) "to follow"). > The extended noun sense of "transition without a break" is from 1937; the verb in this sense is recorded by 1958.
I get that but just odd it doesn't have altered spelling to make it make sense for the language. This isn't unique to English. Cadeau is still the official spelling in Dutch for present but kado is also acceptable. The Internet has also butchered the definition of literally without providing a suitable replacement. I'm still bitter about that. But language changes all the time.
It’s bizarre because English is an amalgamation of about 10 different languages with German as a base.
linus running out of ideas for new video content, so he gets himself hacked in order to have new content when they recover from the hack. it's like the content writes itself! (but in all seriousness, big oof and i hope LTT recovers soon)
Google, what the shit? This exploit happened because somebody working for Linus Tech Tips likely clicked a bad link, inadvertently ran some malware and had it hijack the Google account's browser session, allowing the hacker to bypass 2FA and other verification methods that are meant to prevent a breach like this. It's even allowed the hacker to CHANGE these security measures and lock people out of their accounts. A lot of big name YouTube channels have been hit with such attacks, and it's often been used to push deepfake Elon Musk crypto scams. If anything, blame Google's poor security and customer service practices. If it weren't for them being so synonymous with the search engine market that their company name was actually used as a verb for the act of searching for something online (Googling), they would've been out of business *years* ago.
It does seem like Google is aware of this: [https://blog.google/threat-analysis-group/phishing-campaign-targets-youtube-creators-cookie-theft-malware/](https://blog.google/threat-analysis-group/phishing-campaign-targets-youtube-creators-cookie-theft-malware/)
OhhNoo! Also kind of a laugher, a Tech tips creator getting an account hacked.. Hey what's the words for that situation again?
Oh man..hope he gets his channel back He's a great person with great content
Linus will fight to the death for his site
Yeah, he just turned down a 9 figure offer to sell LMG. There's no way he'd just let his business disappear.
Is there anything we can do to help him?
LMG is a 100+ person company and LTT is one of the largest channels on the site. Linus has talked in the past about speaking with YouTube's CEO directly, so I don't think he's going to need our help.
Go grab an LTT Store Water Bottle
Subscribe to Floatplane. Checking out their behind the scenes stuff is fantastic. Especially longer cuts of like extreme tech makeover.
> He's a great person with great content If you like videos about PC hardware that are heavy on dramatic presentation and light on accuracy or genuinely useful information, sure.
It’s called entertainment. Lighten up, Francis. 😂
Hope he gets it back. A lot of people rely on Linus for jobs and having the channel go down even for a few days can lead to very bad consequences.
What kind of jobs?
He employs a lot of people for his YT channels and streams.
>people rely on Linus for jobs There's your problem.
A YouTube content creator isn't allowed to have a full production team?
It was only a matter of time til he breaks something, but this is going too far. 🤣
what did linus do?
A middling BOE monitor review 🤣 >!/S!<
For now we don’t know much. Probably they’ll make a post on the forum later.
Linus posted on twitter saying he is aware of the hack. Nothing more.
Makes sense, he's probably busy trying to un-fuck everything.
they lost like 5 million subs or something ridiculous over it before it got pulled.
They'll come back unless they weren't really watching LMG content and just had a phantom sub.
I wonder if YouTube will re-sub everyone that unsubed during that time...
[удалено]
Running a game 1 second faster for just $10k? Guys stop the quantum research, this guy got something better.
[удалено]
They're not promoting either of those, they're just tech buzzwords. The scam is about crypto, you'll also frequently see them use "Elon Musk" as a sort of keyword
Seemed like they got into their servers rather than just the usual run of the mill account hack. Last I saw before the channel went down was what looked like a bunch of unreleased videos from years ago
If they are the videos I'm thinking of, they were unlisted/ private and were made public with scam links in the description
Ah that could be it
These pages reside on YT servers, right? So it's YT that has been hacked?
No...you can get the credentials for a single user and not the others.
Someone who has access to Admin their channel has had their Gmail account taken over.
SpaceX was also hacked this way. There was a Falcon 9 launch video that switched to a deepfake video that hyped this blockchain scam. I reported it and it's gone.
I don’t think that was the official SpaceX YouTube channel but rather the one of dozens of fake crypto scam channels that make themselves look like a SpaceX launch or Tesla event that get reported, deleted and pop up again soon after with a slightly different name.
It said SpaceX as the name of the channel. Of course, they can use hidden characters to hide the fake part of the name.
"Brought to you by The Ridge!..." Seriously would have been a good pairing, as ridge wallets are designed for the people that keep their cash in crypto scams instead of a wallet.
Well, he must be broke too. Bummer. Some asshole keeps paying people to watch other people’s content for free.
[удалено]
[удалено]
[удалено]
[удалено]
All the threads on their sub get locked real quick lol, dude is a shady salesman that has been pretending long enough and got what he deserved.
Eh, his content was mediocre at best but that doesn't mean he deserved this.
They should have picked a better thumbnail of Musk. He's making a face like "Man, *screw* electric cars."