23 Million YouTube Creators Following ‘Massive’ Hack Attack

High-profile YouTubers have been targeted by cybercriminals over the weekend in what appears to have been a highly coordinated and "massive" attack. The security warning was made by Catalin Cimpanu, a ZDNet reporter, who spoke to a member of an internet forum with a history of trading access to hacked accounts. Here's what we know so far and what you need to do to protect your own YouTube account.

Which YouTube accounts have been hacked?

According to the ZDNet investigation, many accounts belonging to well-known YouTubers within the car community appear to have been hijacked. However, it would also appear the attack itself has been directed mostly towards "influencers" across many YouTube channel genres. Amongst those taking to Twitter to complain about their YouTube accounts being hacked and access to their channels lost, were YouTubers covering technology, music, gaming and Disney. With more than 23 million YouTube channels, anyone who creates content should be heeding this warning though.

How were the YouTube accounts hacked?

The investigation by Cimpanu points clearly towards a coordinated phishing campaign. Having spoken to a member of an internet forum where online account hijackers are known to chat, Cimpanu was able to determine that this was likely a highly targeted, or "spear phishing," campaign rather than a spray and pray operation. The forum member told ZDNet that someone had got hold of a "real nice database," and were "getting a bang for their buck," as a result.

The attack methodology would appear to be nothing out of the ordinary, truth be told.\

Emails are sent to people to be targeted from the list of YouTuber influencers, luring them to a fake Google login page. This is used to harvest their Google account credentials which then give the attacker access to YouTube accounts. These are then transferred to a new owner and the vanity URL changed. The actual owner of that channel and those who subscribe to it are left thinking the account has been deleted.

At least some of the accounts that were successfully hacked had been employing two-factor authentication (2FA) for additional protection according to the ZDNet report. This suggests that the attackers were using a reverse proxy toolkit, such as the popular Modlishka phishing package, to intercept 2FA codes sent using SMS.