Linus reveals the cause of Linus Media Group's YouTube hacks

YouTube needs to harden their security against this kind of attack, and doing so should be simple

Linus reveals the cause of Linus Media Group's YouTube hacks

Linus Media Group's YouTube channels were hacked through a fake sponsorship email

Following yesterday's hack, Linus Media Group has officially regained control of their YouTube channels, including Tech Linked, Tech Quickie, and Linus Tech Tips, all of which were seized by hackers in the early hours of yesterday morning.
Following the hacking of these channels, attackers had quickly changed the name of these channels to Tesla, or something similar, and used them to stream podcast-style videos promoting AI and cryptocurrencies using footage of Elon Musk. Within the stream chats of these videos, the hackers pointed viewers towards a website where they planned to use a fake crypto giveaway to scam people.
These types of YouTube hacks are all too common on YouTube, with most of these scams using the concept of a crypto giveaway to entice victims into sending money to scammers. The scammers claim that users will be sent more money in return than they send to the scammers, a promise that is not kept. Our advice is to avoid any kind of crypto giveaway, and to keep an eye open for scammers on YouTube.
Linus Sebastian, the owner and operator of Linus Media Group (LMG), has confirmed that their hack originated from a fake sponsorship email which contained malware. This malware stole the cookies from a LMG employee and hackers used them to take control of several Linus Media Group YouTube channels.
This type of attack is incredibly common on YouTube
Linus Media Group is not the only company that has been affected by this kind of YouTube account theft, and this kind of attack is extremely common. Given how this hack uses stolen cookies, it is likely that Google and YouTube could easily strengthen their security mechanisms to prevent such attacks. This hack did not require compromised passwords and bypassed the protections of two-factor authentication, despite the fact that hackers were using stolen authentication cookies from the other side of the world. 
One easy way for YouTube to help avoid this kind of security issue is to make their authentication cookies region or IP locked, preventing them from being used by hackers outside of the victim's global region. Additionally, authentication prompts should be asked for by YouTube when channel name changes and mass video changes or deletions are requested. These changes would prevent this kind of hack from doing major damage to YouTubers and their channels.
In the video below, Linus Sebastian explains how their channels were hacked yesterday and what YouTube can do to prevent this from happening again.

YouTube and Google need to harden their security against these hacks

Given how long this type of account theft has been a problem on YouTube, the company has gained a reputation amongst victims as an organisation that does not take this kind of security breach seriously. This has to change. YouTube has the ability to make this kind of account breach impossible by tightening of existing their security mechanisms. 

YouTubers have a limited ability to prevent this type of account takeover, as this kind of breach does not require compromised passwords or any other kind of traditional data breach. All they need to do is open a fraudulent attachment from a fake sponsorship email and hackers have the ability to take over their YouTube channels. While this kind of hack can be avoided by teaching YouTubers and their staff how to spot these kinds of attachments, YouTube can stop these hacks entirely by blocking this attack vector.

We hope that YouTube can respond to yesterday's attack by updating their security mechanisms accordingly.

You can join the discussion on Linus Media Group regaining control of their YouTube channels on the OC3D Forums.

«Prev 1 Next»

Most Recent Comments

24-03-2023, 11:27:15

It's funny how this kind of thing has been going on for years, but it takes a big tech channel to literally shame google about it, for them to do anything about the issue.Quote

24-03-2023, 12:26:22

How about his staff don't open dodgy PDFs?

I mean FFS, even *I* don't do that, let alone would I at a work place.Quote

24-03-2023, 12:37:03

Originally Posted by AlienALX View Post
How about his staff don't open dodgy PDFs?

I mean FFS, even *I* don't do that, let alone would I at a work place.
That would be the same as requiring all the people who bought an NVIDIA RTX card with the 12VHPWR coenctor to be able to tell that it wasn't fully plugged in and never cause a fire hazard.

It doesn't matter how much you focus on teaching people to not poke the crack in the wall, someone will eventually do it and the wall will break and the water will come flooding in. The correct way to handle these things is to just repair the wall, close the gap or whatever. If you don't, it's only a matter of time untill things go south.

And from the video that they published earlier, it looks like they wrote a very convincing e-mail with no spelling errors and that receiving requests like these is a common thing with their sponsors, so even a very informed person could still end up doing it.

I for one receive PDF files multipe times each day on my e-mail from people who work with me, if one of them infected one of these PDFs or someone else tried to copy the common e-mails I receive daily, unless I caught the different e-mail adress I would certainly fall for it. Given, it's kinda hard for me not to notice an odd e-mail adress because it's not common that my colleagues change their e-mail adresses and a new one would not come with the same contact name, but it could still happen depending, for example on my state of mind at that time or if one of my colleagues recently warned me of an e-mail change or had an issue with his e-mail account, I could literally be expecting a different e-mail to arive.Quote

24-03-2023, 13:03:01

I think people forget how effin good some mails are, at replicating legit and genuine companies or contact points.

A colleague internally working in security sent a "test" mail to all of us and copied GSMA (

He did it so perfect that 40% of staff followed the link. It was a harmless redirect but still provided him with a counter for how many fell for this phising.Quote

24-03-2023, 13:18:45

I agree it is very clever and well done. However, even *I* won't open a PDF sent in the mail to me. Let alone if I were in that position. Then again, maybe I wouldn't care as much lol.Quote

Register for the OC3D Newsletter

Subscribing to the OC3D newsletter will keep you up-to-date on the latest technology reviews, competitions and goings-on at Overclock3D. We won't share your email address with ANYONE, and we will only email you with updates on site news, reviews, and competitions and you can unsubscribe easily at any time.

Simply enter your name and email address into the box below and be sure to click on the links in the confirmation emails that will arrive in your e-mail shortly after to complete the registration.

If you run into any problems, just drop us a message on the forums.