How Do YouTubers Get Hacked? 3 Tips to Secure Your Account
YouTube channels are getting hacked.
It’s becoming a bigger concern for content creators and viewers right now because big well known, popular channels are getting hit in these attacks. Malicious actors are using new tactics to get into accounts, but there are some really important preventative measures you can take as you’re watching this to protect your account, whether you upload videos or you just log into your account to watch them.
Attackers use several different attack vectors to get access to a youtube account, so taking one step to minimize risk won’t really work. It’s kinda like locking your front door while leaving your garage door open - one door doesn’t work, so a thief would try another door. Same goes for online accounts - you can use different passwords all day long but if you download malware then you still get pwned.
Here are 3 steps you can take today broken down with recommendations to protect your account. This episode is in partnership with Yubico, and you’ll see why this works so well as one of the steps you need to take. I’ll be using a desktop browser to show you everything in this video.
Let’s start with locking up your youtube account. A YouTube account is generally associated with a Google account, and we’re going to assume the google account login is a gmail email address. You can see what email address you use to log into youtube by clicking on your profile picture in the top right corner and clicking on Settings. The page that loads will show you which email address you use and it’ll have a link to your Google Account Settings page. This is where you have full control over your google account. You wanna make sure this account is all straightened out before we move on because if this google account gets hacked, then someone could have access to your linked youtube account too.
On the Personal Info page, scroll down to the Password setting. If you’re reusing this password somewhere else (like it’s the same password on your twitter account or something), change it now. Change it to something long, use multiple words, use symbols, letters and numbers, etc. I’ve done many, many a video about passwords that you can use as references for generated a strong, complicated password and how to use a password manager to store and protect your passwords.
Click on the Security page. This page will give you a Security Checkup - a quick look at all of your security settings for this google account and potential threat vectors you might wanna close. Garage doors.
This page is where you can check where you’re signed in and how you’re signed in. From the top - we have 2 Step Verification. Check out my recent videos about 2FA to get a really in depth explanation of this, but the TLDR is this: you know how sometimes you’ll log into a website with your username and password, then it’ll prompt you to type in a six digit code that was sent to your phone number? That’s 2FA. It’s a second step in the login that verifies you are who you say you are past the password step. That way, if someone has your password, they’d also need that six digit code to log in. You want to enable 2FA if it’s not already turned on.
On the 2FA page, you can choose how you receive those codes.
The first option I’d recommend is using an authenticator app. Without getting too much into the nitty gritty, this first option will generate codes inside an app on your phone, rather than sending them to you via text message. We know people can steal phone numbers and get text messages redirected to their own phones, this is called Sim Swapping. So to prevent that from happening, you can use an app installed on your device to get the codes instead. Better yet, they work even if your phone is offline so if you can’t get texts for some reason, you can just open the app and get your code that way instead.
Generally, authenticator apps all work the same, though some come with extra bells and whistles that you can pick and choose from depending on your needs. I recommend Authy or Google Authenticator. Both are free, cross platform apps. When you first download the app, it won’t have anything in it, so you need to pair it with your Google Account. To do so, you go over to your Google Account in your browser, and choose Add the authenticator app, and follow the on screen directions, which will usually tell you to open the authenticator app, click plus to add a new account, take a photo of the QR code that shows up on your google account settings page, and voila!
Now anytime you log into your google account via a new computer, you’ll need to enter a code thats generated in this app. The code changes every several seconds, which means you’ll need to have that phone with that code in order to unlock your account.
The bad part of these codes is that they can be stolen. If a malicious actor can see that code, whether they spy on you over your shoulder in person and see it on your phone, or if you accidentally type that code into a malicious website that looks like a legit login page - it can be stolen. You have to be really careful about where you type these codes in and make sure to never hand them over to anyone, even though they change every few seconds. So we do have some alternatives.
Google gives you the option to have a prompt sent to your phone that asks you to verify a log in - and this can be used as a second factor as well. But if you choose to use this option, you need to be aware of a problem called 2FA fatigue. If you see these prompts on your phone pop up, you need to make absolutely sure you are the person who’s trying to sign in before clicking “yes” on your phone screen. If you just click yes just to get the pop up off your screen and don’t know why it was there in the first place, you could be authorizing another person to sign into your account. 2FA fatigue sounds like one of those things that you’d never fall for, but this has been used in recent attacks against big corporations, and employees of those companies have fallen for it.
The best 2FA protection is using a security key. This (HOLD UP KEY) is a Yubikey. It’s a hardware key that replaces the need to type in a code. You can sync one of these keys with your google account so anytime you need to log into your account on a new machine, you’ll have to also plug in this device to that machine to tell it that you not only know your password, but you also hold the key as well.
Yubikeys are highly recommended for content creators since 2FA codes can be stolen. When you use a Yubikey with your google account it doesn’t type any codes out onto the webpage as you log in. Instead, it uses a special handshake set up between the website and the physical key so all you have to do is touch the key to validate it’s actually in your possession. If an attacker tries to get you to log into a fake spoofed youtube website, the Yubikey won’t work because it won’t recognize the website when it authenticates with that handshake. That means even if an attacker steals your username and password, they’d get stuck at the 2FA page because (I’m assuming) you haven’t given them your hardware key.
Yubikeys have no subscription fee, you buy it once then you can use the same key for any websites that support 2FA via hardware keys, and you only need to use it whenever you need to reauthenticate or re-log in. That means you don’t need to use it every day on your normal machines. If you get a new phone or laptop, you’ll need to have your key ready since your google account isn’t gonna recognize this new device. That prevents attackers from logging into your account on a new device too.
If you’re worried about losing your key - grab yourself a second one and set that one up on your google account too, then store it somewhere safe. I actually highly recommend doing this. That way, if the first one gets destroyed or lost or stolen, you can log in with your secondary key, revoke the primary one that got misplaced, and still have access to your account.
Even better: I have a coupon code just for my viewers! Use the code SHANNONMORSE for $5 off any Yubikey 5 series or security key series purchase. Huge thank you to Yubico for not only keeping us more secure online but also hooking up my viewers with a sweet discount code.
What happens if you lose both of your keys, or your phone with your authenticator app? This is where Backup Codes come into play. These are 8 digit codes - different from the six digit 2fa code that’s generated in an authenticator app - that can be used to log into your account if you lose access. You get 10 different codes and each of them can only be used ONCE, then it’s burned. You will want to COPY these codes and STORE THEM safely. If for any reason you lose your 2fa key or codes, these backup codes are your last resort to get into your account. Print ‘em out, keep them secret, keep them safe, don’t lose them.
Want more in depth info about 2FA hardware keys? I’ve got videos linked down below on everything you need to know to choose one and why they work so well for account protection.
Other things to check in the Security page: Revoke or remove any old devices that are currently signed into your google account. Remove or revoke any third party apps or linked accounts that you no longer use or need.
You’ve just made your main google / youtube account a lot more secure by going through those steps. But… Youtube accounts are still getting hacked even with 2FA turned on. What’s going on? 2FA is your first defense, but again - don’t leave any doors open. We also need to consider other vectors of attack.
Let’s chat about email. Your youtube account is associated with an email address. Ensure that email address is a private one that is ONLY used to sign into your youtube account. If you use this email account to get emails from viewers, from brands wanting to work with you, and from google - not only could you miss important emails about your youtube account, but it could also be used to steal your account.
PRO TIP: Don't publicize the email address you use to log in to your youtube account with.
Attackers create realistic looking emails and send them to whatever email address they can find for you.
You’ve already protected this email account via the steps we just went through, but no one needs to know that account. If an attacker knows what email address you use to log in to youtube, they could start emailing you at that email address with really realistic looking emails that look like they’re coming from google and youtube, and try to get you to click on malicious links in the email or get you to download malware.
If you keep your login email address private and publicized an email address that’s specifically created for public inquiries… it would be a dead giveaway if an attacker tried to send your public email address an email that looks like it’s coming from Youtube. Youtube is only gonna send you emails to the email address you use to sign in, not some email address you just use for your viewers to send in questions. Wouldn’t that be weird? That’s a red flag.
Now if you do get emails to your private email address that seem to come from google or youtube - you still shouldn’t click on anything in that email. Youtube never sends documents via email for you to download, and anything you need to know about your account can be accessed via the Youtube Studio app or on the website which is studio.youtube.com. You don’t need to click on any links in the email to access the same information. Same goes for Google Adsense and payments. You can access everything via the adsense website.
You may think that if the email address in the “from” line says it’s from someone AT google DOT com, then it’s legit. But nowadays, that’s not the case. Email addresses can be spoofed, so they look like they’re coming from google DOT com, but are really coming from an attackers email address.
You can check the actual from email address by clicking on the three little dots in the email and clicking on Show Original - this will show you whether or not the email passed all of Gmails checks - if it did, it says PASS. If not, it’ll say “FAIL” or “SOFT FAIL”. Even then, this isn’t a 100% surefire way to tell if an email is legit or not - so it’s best to not click on any links or download anything from emails.
Recently, a phishing campaign has hit many creators email inboxes and it looks like a YouTube PSA email about changes they’re making to the platform. The emails can look so similar to a youtube email that creators are falling for it and clicking on links within the email. Creators who’ve received this email have posted screenshots of it online for others to see, as a warning about how legitimate these look.
So be incredibly careful about what you choose to click on in emails.
You’ve protected and privatized your login email address… But attackers have gotten smart, and they’ve started sending realistic looking brand deals or sponsorship inquiries to Youtube creator public email addresses. These often look really legit, but they’ve been asking creators to download media kit documents that aren’t actually contracts or descriptions of a brand deal - they’re malware. These contain viruses or downloadables that once on your machine, exfiltrate keyboard strokes, take screenshots of displays, or steal login sessions from cookies.
I did a whole video explaining how cookies work. TLDR - cookies are the special sauce that let you stay signed into websites while you browse the internet, and they make it so when you click from one page to another on youtube.com, you don’t have to re-sign in every single time the page refreshes. Your current logged in session is memorized by your computer and it keeps you signed in until you force it to forget your session, which you can do by telling your browser, like chrome, to delete cookies and sign you out every time you close your browser, tell it to sign out of everything every 30 days, etc. Banks do this automatically, forcing a sign out after like 5 minutes of inactivity - this is to force the session to expire.
Cookies are great because they keep you logged in and make browsing convenient but an attacker can also steal your logged in session from your computer by stealing them thru malware.
If an attacker gets you to download malware that can steal these cookies, then as long as your session is valid and logged in, they can straight up copy and paste that session onto their own computer and pretend to be you, already logged in.
This is how attackers are bypassing 2FA, and this is how our friends at Linus Tech recently got hacked.
In their case, they also have a big business account, so several people have access to the youtube channel. Each person who had access could also do things like delete videos, start live streams, upload new videos, etc. For these kind of accounts, limit who has access, audit those accounts and give them 2FA keys too. Give them a special email address that's private that is only used for logging into youtube. Choose who has limited access and what kind of access you give them.
It may make things a little less convenient, but much of the malware being distributed this way attacks Windows computers. So admins might want to consider only accessing their youtube accounts from machines that are better protected and sandboxes - like your phone running on Android or iOS, or from a desktop using an alternative operating system. One way to streamline this is by just using a Chromebook for accessing the youtube account. This would make it harder for an attacker to steal session cookies because they’d need to set up specialized malware to be distributed on every platform.
When YouTube accounts get hacked, it’s a stressful situation. If you’re a content creator, you could lose valuable days or even weeks of views and growth. It could hurt your reputation or destroy years of work. YouTube does help creators fix their channels after a hack, but the damage is done - creators lose momentum and lose subscribers when a hack happens, so it’s best to prevent it as best you can before it happens.
By using good security hygiene for your email, deleting session cookies as often as you feel comfortable doing, and using 2FA to lock up your login account - you take crucial steps that defend against common tactics.
We’ve learned in the last couple of years that the way these hacks happen changes over time, but these are the current ways we’ve seen accounts getting hacked.
haveibeenpwned to track email leaks
In the Google account, you probably wanna click on Personal Info, scroll down to contact info and click on email. On this page, add a recovery email address you can use to recover your google account in case you ever get locked out.
You can do the same thing with the phone number section, adding a phone number and setting it up to get security alerts or password resets.
Let’s go a bit deeper on this - both the recovery phone or email address need to be protected too. You don’t want someone getting access to one of the recovery accounts and resetting your password or logging into your account. So take note of the accounts you have set up for recovery, and revisit them after I go through the rest of the steps in this video, and ensure those accounts are also protected with these same measures.
In other words - you can protect this youtube account all day long, but if your recovery email address’s password is abc123, it won’t take someone long to hack into that account and in turn hack into this account too. You gotta protect all the things - don’t leave your garage door open.
While not necessary for this video, you may want to audit the Data and Privacy page to tweak it to match your own standards and lifestyle.
In order to set one of these apps up with your Google Account - first download the app from the app store on your phone, open it and choose to add a new account to the app. This will bring up a camera lens so you can take a picture. Back on your Google Account page, you can choose to add the authenticator app, and this will give you a QR code on the screen. Scan the QR code with your phones new authenticator app, and voila - the two get connected.
From the Security page you’ll also want to audit which devices are currently signed into your google account - revoke and remove old phones, old laptops, anything you don’t recognize. And check third party apps that have access - remove or revoke any that don’t need access anymore. If there’s any third party linked accounts you don’t need to keep on your google account you can remove those as well.
