YouTube Hack: When 2FA isn’t quite enough


Hackers targeted a number of high-profile, “influencer” YouTube accounts using a coordinated phishing attack.

“Phishing” is where a notification (email, text, etc.) pretends to be the provider, leads the individual to a site that looks very, very much like the real site. Then they get the individual to enter valid credentials, which they steal and use to access the account themselves.

The best way to avoid accidentally typing your credentials into a phishing site is to pay really close attention to the URL, but honestly no one does that 100% of the time. The failsafe is to add some form so second factor authentication (2FA). Unfortunately, it looks like the hackers intercepted Google’s 2FA using a tool called “Modlishka” which not only proxies the Google web content, but creates a fake page that intercepts the real 2FA code.

Once the hackers had that, they were able to completely take over not only the YouTube accounts, but all the security associated with the user’s accounts. They moved the YouTube content to a different owner and changed the vanity URL of the channel making it look like all the content had been deleted.

Multifactor authentication is still very difficult to get around and really, you should be using some form of 2FA or MFA on all of your accounts. That said, this hack demonstrates the need for finer grained controls -- a code isn’t enough. Although just about anything can be spoofed, security professionals should include things like location, device signatures, time of day, existing cookies, and other patterns.

We should still keep it easy for the user to log in and get a code, but we should be watching for more than just a couple bits of data.

More news on the YouTube hack can be found here:

ZDNet: Massive wave of account hijacks hits YouTube creators

Forbes: YouTube Security Warning For 23 Million Creators As ‘Massive’ Hack Attack Confirmed