YouTube channel Linus Tech Tips and two related channels within the same media group were recently taken over by hackers and deleted. For several hours chaos broke out across the Linus Media Group, which has a combined followership of over 25 million people. The hackers did everything from advertising dodgy cryptocurrency to mass deleting videos, eventually resulting in YouTube terminating the channels due to breaching its terms of service.
Fortunately, the channels are back up and running, and everything’s back to normal. So, what exactly happened, and how was it fixed in the end?
Read on to find out.
What the hackers did
In a video explaining the situation, channel owner Linus Sebastian explains that the trouble started just after 3 am when the Linus Tech Tips account was renamed Tesla and started streaming a podcast-style recording of Elon Musk discussing cryptocurrency with several others. The stream linked to a scam website that promised users that for every one bitcoin they spent, the site would return double. To lend an air of legitimacy, the site also featured fake transactions of other users getting huge payouts from the site.
While Linus tried to tackle the issue, his two other related channels, TechLinked and Techquickie, began hosting these fake crypto streams. Eventually, YouTube took down all three channels for violating its terms of service.
How the hack occurred
The surprising thing about the takeover was that it didn’t occur because of a password breach or dubious 2FA practices but by targeting session tokens. A session token is stored in your browser on your device and allows you to continually access a site via your account once you’ve logged in and your credentials have been validated.
Hackers managed to hijack a session token by targeting an employee with social engineering. A team member downloaded what they thought was a sponsorship offer from a convincing-looking email. They launched the PDF of what they assumed were the terms of the sponsorship deal, but nothing happened. Innocent enough. However, unbeknownst to the team member, the PDF actually downloaded malware to the computer, which then proceeded to access user data from the team member’s web browsers, from cookies to saved passwords and session tokens for every site they were logged into.
How everything was fixed in the end
Before Linus realised the root of the problem, he started trying to tackle the incident by privating the streams, revoking the stream keys, and resetting the accounts’ credentials. However, the hackers were one step ahead, and not only started the stream again, but also began mass deleting videos. Once he figured out the root cause was the session IDs Linus had some trouble navigating their content management system and figuring out which exact login was the issue. While Google helped them resolve the problem in the end, Linus had some critiques of their support communications practices, which you can hear in full in the video.
Future prevention
This sort of takeover has been a recent problem for myriad YouTube creators. As always, awareness is key, as well as proper training for staff members so they know the signs of social engineering attacks. Linus also highlights the need for YouTube and Google to strengthen their own security practices.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.