Protecting Your YouTube Channel from Hackers

In this podcast episode, Sean Cannell and Shannon Morse discuss how to protect your YouTube channel from hackers. They share their experience of losing their Think Media podcast channel for 10 days and provide insights on the tools and mistakes creators can avoid to protect themselves.

Understanding the YT Stealer Attack

• Forbes posted an article about the YT Stealer attack that is affecting many channels.

• Hackers can take over your account without you knowing until it's too late.

• The attack on Think Media's podcast channel was likely a YT Steel attack.

Protecting Your Online Presence

• Creators need to protect not just their YouTube channels but also their online presence overall.

• Cyber threats are costing creators millions and even billions of dollars in losses.

• Shannon Morse is a security and privacy advocate who helps inspire others to live life to the fullest while not sacrificing their identity, ethics, or privacy.

Unpacking the Situation

• Sean shares his experience of losing his Think Media podcast channel for 10 days.

• Hackers often hack channels of different sizes, privatize videos, push out pre-recorded content, and solicit crypto payments.

• Two-factor authentication can help prevent hacking attempts but it's important to be vigilant with login attempts.

Tactical Tips for Protection

• Creators should use strong passwords that are unique to each account.

• Creators should enable two-factor authentication and be vigilant with login attempts.

• Creators should limit the number of people who have access to their accounts and revoke access for those who no longer need it.

Conclusion

• Protecting your YouTube channel from hackers is crucial in today's digital age.

• By following these tactical tips, creators can protect themselves from cyber threats and safeguard their online presence.

YouTube Channel Hacked: Lessons Learned

In this section, the speaker talks about how their YouTube channel was hacked and what they learned from the experience.

The Hack

• The hack did not involve a text message code situation. Instead, someone on the team clicked to approve a suspicious pop-up.

• After getting past two-factor authentication, Google changed the code to a physical USB key.

• Managers who did not have authority were still in there and watched as changes were made. They made all videos private but didn't delete them.

• The hackers changed the channel name to Tesla official and tried to do a live stream, which was shut down by one of the managers.

Dealing with the Hack

• The team reached out to YouTube on Twitter and then filled out an email form for Google support.

• It took days to get responses, but eventually, after 10 days, the hacker got kicked out and they started restoring their channel.

• During the hack, all videos were made private and had to be turned back public once they regained control of their channel.

Lessons Learned

• Protecting your account is important because it can affect your growth on the platform and your income if you depend on it.

• Other people have also been hacked recently.

Understanding the YT Stealer Attack

The YT Stealer Attack is a type of attack that steals YouTube authentication cookies, which can allow attackers to bypass login credentials and gain access to user accounts. This section discusses how this attack works and what users can do to protect themselves.

How the Attack Works

• Forbes posted an article about the YT Stealer Attack, which involves stealing YouTube authentication cookies.

• Authentication cookies are used to keep users logged in for extended periods without having to re-enter login credentials.

• If someone steals the code for a session ID, they can use it to log into an account on their own computer without needing login credentials.

• It's difficult to know if someone has stolen your information until it's too late and they've already gained access.

Protecting Yourself from the Attack

• Use tools like Malwarebytes or Windows Defender to detect and remove malware from your computer.

• Be cautious of fake emails that may contain links that lead you to enter your login credentials.

• Look out for fake sponsorship or advertisement emails that may be phishing attempts. Check the domain name, grammar, and contact information before responding.

Malware and Phishing

In this section, the speaker discusses how malware can be embedded in PDF or docx files and how phishing is related to fishing. They also talk about how attackers might send out a massive email to content creators hoping that one of them will download the malware.

Malware in PDF or docx files

• Malware can be embedded inside PDF or docx files.

• Executables or malware can be downloaded onto your computer if you click on these types of documents.

Fishing and Phishing

• Fishing is similar to phishing where an attacker sends out a massive email to content creators hoping that one of them will download the malware.

• Spearfishing is when attackers directly target people.

• Phishing is a way for attackers to steal information from users by tricking them into clicking on links or downloading malicious software.

Vulnerability from Clicking Links

• Clicking on links can potentially make you vulnerable to attacks.

• There are malicious websites that scrape data from your computer as soon as you visit them.

• One way to tell if a link is malicious is by using an extension called u-block origin which triggers a response within the browser that says whether it's potentially malicious or not.

Avoiding Malicious Links

In this section, the speaker talks about ways to avoid clicking on malicious links, including using u-block origin and going straight to YouTube Studio instead of clicking on links in emails.

Using u-block Origin

• U-block origin is a free Chrome extension that triggers a response within the browser when it detects potentially malicious links.

• It gives you the option to proceed yes or no.

Going Straight to YouTube Studio

• To avoid clicking on links in emails, go straight to YouTube Studio or log in directly to AdSense.

• Any prompts will be visible on your dashboard, so you can respond directly to YouTube or AdSense.

Conclusion

In this section, the speaker concludes the video by thanking the sponsor and promoting Stream Yard as a platform for streaming to YouTube and Facebook.

Conclusion

• The video is brought to you by Stream Yard, which is a go-to platform for streaming to YouTube and Facebook.

• It has an easy-to-use interface with built-in branding transitions, text lower thirds, and seamless integration.

Protecting Your Online Accounts with UbiKey

In this section, the speaker discusses how to protect online accounts from phishing attacks using UbiKey.

Using UbiKey for Two-Factor Authentication

• UbiKey is a USB key that can be used for two-factor authentication.

• It is recommended to get two keys and register any account online that accepts hardware tokens or keys for multi-factor authentication.

• To log in, type in your username and password, click on login, and then plug in your hardware key to authenticate your account.

• This is an upgrade from using codes sent via email or text message or generated by an application because it cannot be duplicated by attackers who may have stolen your username and password.

Why Use UbiKey Over Other Options?

• Hardware keys like UbiKey are more secure than other options because they cannot be duplicated unless physically stolen.

• Google Titan is another option but the speaker recommends UbiKey because it is less expensive and has more options for different platforms.

Taking a Holistic Approach to Online Security

• It's important to take a holistic approach to online security and privacy when protecting your accounts.

• Think like a hacker and consider all the ways an attacker could potentially get into your account.

• The higher up you are in terms of security and privacy, the less likely you will be targeted.

Final Thoughts

• It's recommended for individual creators to use physical keys like UbiKey to protect their accounts.

• UbiKey is an upfront cost but free to use forever until it's lost or broken.

Using Hardware Keys for Online Security

In this section, the speakers discuss the benefits of using hardware keys for online security and how to use them effectively.

Benefits of Using Hardware Keys

• Hardware keys allow you to stay logged in for a long period of time without having to use them every day.

• You don't have to carry your hardware key with you everywhere as it is not very inconvenient to use.

• Upgrading to hardware keys protects against 2FA fatigue requests and potential attackers stealing your codes.

How to Use Hardware Keys Effectively

• Buy two hardware keys and set them both up at the same time. Store one away in a safe or secure location where nobody can get to it.

• Keep the other key plugged into your computer in a secure space or on your keychain for convenience.

• If you have a team, buy two per person and have each person set up a couple of them. Walk them through the setup process and store one away while keeping one on their keychain or in another convenient location.

• Ask team members to delete their cookies and refresh their browser history every week or month so that if there was some kind of malware on their computer that was trying to steal their session ID, then the session ID gets refreshed.

Example of Effective Use

• Cloudflare, a large company with tons of employees, was attacked last year by an attacker trying to get into employee accounts. However, they were unable to bypass 2FA because they were using hardware keys.

Protecting Against 2FA Fatigue

In this section, the speakers discuss 2FA fatigue and how attackers are using it to bypass security measures.

What is 2FA Fatigue?

• 2FA fatigue is when you get tired of seeing the approve or deny request for 2FA and eventually approve it without thinking.

• Attackers have been using 2FA fatigue to bypass security measures in companies such as Reddit, Twilio, and Uber.

How Hardware Keys Protect Against 2FA Fatigue

• Upgrading to hardware keys protects against 2FA fatigue requests because they require physical interaction rather than just clicking a button on your phone.

Growing Up as a Company

In this section, the speaker talks about how their company needs to become more sophisticated and professional. They discuss the evolution of their team and how they started with just one person shooting videos in their bedroom.

Moving to a Dedicated Email Account

• The majority of people in the company were using personal email accounts.

• It is recommended to move everyone to a dedicated email account for the company.

• Publicizing the email address used to log into YouTube can give attackers extra information that could be used to hack into an account.

• Using a separate email account for logging in can help identify potential hacking attempts.

Online Security Tips

In this section, the speaker shares tips on auditing online security, especially connected third-party apps.

Use a Separate Gmail for Your YouTube Account

• Use a separate Gmail account that is not shared or used for inbound/outbound communication solely for logging into your YouTube account.

• Treat it like a password and don't share it with anyone.

• If you have a team, require them to use separate email accounts as well.

Audit Third-party Apps

• Third-party apps are applications that allow you to add-ons onto your YouTube channel.

• Some examples include vidIQ and TubeBuddy.

• These apps usually authenticate with your Google account via OAuth, which is secure.

• However, it's important to audit these apps regularly and revoke access if necessary.

Online Security Best Practices

In this section, the speaker discusses online security best practices and how to protect your YouTube channel from third-party apps.

Research Third-Party Apps

• Do research on third-party apps before using them.

• Check if they do their own security audits for their own company.

• See if they allow you to log in Via oauth or if they require you to type in your username and password.

Control Third-Party Apps Connected to Your YouTube Channel

• Deny any weird third-party apps that you don't recognize.

• Remove them from your account from your YouTube account on the back end.

• You can control what third-party apps and like what browsers and what devices you're logged into through your Google account that's attached to your YouTube.

Google Chrome Extensions

• Be mindful of the extensions downloaded on Google Chrome.

• Some extensions have been found allowing attackers to distribute malware through the extension store.

• Audit your online security by looking at what kind of extensions you've downloaded, delete or uninstall anything not used day-to-day for business or workplace.

Cyber Threats and VPN Recommendations

In this section, the speaker talks about cyber threats we face today and recommends VPN services.

Cyber Threats We Face Today

• Cyber threats include hacking, money or bank accounts theft, personal identity theft, etc.

VPN Recommendations

• VPN is a great way to protect local information and encrypt data so nobody else can see it while it's in transit.

• Trust is important when using VPNs.

• Google One VPN and Proton VPN are highly recommended in the cybersecurity community.

• Use a VPN to protect your traffic, especially if you need to log into public Wi-Fi.

What is a VPN and how to use it

In this section, the speaker explains what a VPN is and how to use it.

Definition of VPN

• A VPN is like a secret tunnel that protects your data from point A (you) to point B (the website you're visiting).

• It prevents anyone snooping on both sides of the tunnel from seeing what's going on inside.

How to Use a VPN

• Download an installation file for the VPN and put it on your computer or device.

• Alternatively, download an app on your phone or an extension for your browser.

• Read reviews and check the terms of service before using any VPN.

• Use a legitimate one that doesn't snoop on your traffic or sell it to third-party advertisers.

Benefits of Using a VPN

• Helps watch content in other countries.

• Protects you when using public Wi-Fi or hotel internet access.

• Prevents potential attacks from someone trying to steal your information.

Risks of using public Wi-Fi and benefits of password managers

In this section, the speaker discusses the risks associated with using public Wi-Fi and why password managers are important.

Risks Associated with Public Wi-Fi

• Don't log in or open YouTube at all when using airport Wi-Fi.

• It's easy for someone else to pretend to be that wireless router/access point and get you to authenticate into their network instead of the real one.

• There's no way to tell which one is real and which one's fake, so avoid connecting altogether.

Benefits of Password Managers

• Password managers are very good at keeping track of passwords securely.

• They help generate strong passwords that are difficult for hackers to guess.

• One should use them in today's world to keep their accounts safe.

Password Managers

In this section, the speaker discusses the importance of using a password manager and recommends some popular options.

Importance of Using a Password Manager

• Reusing passwords across multiple websites can be dangerous if one website gets hacked.

• A hardware key can block hackers from accessing your accounts even if they have your password.

Recommended Password Managers

• RoboForm has an easy-to-use UI and browser extension.

• Bit Warden is free and has many features.

• OnePassword is advanced but more expensive.

• KeePass is open source and allows for local downloads, but requires secure local storage.

Investing in Cybersecurity

In this section, the speaker discusses the importance of investing in cybersecurity to prevent potential losses.

The Cost of Cybersecurity Breaches

• Potential losses include lost revenue, time, peace of mind, and team productivity.

• Recovering from a breach can cost up to $100,000 or more depending on the extent of damage done.

Investing in Cybersecurity

• Investing in cybersecurity is like buying insurance against potential losses.

• It's important to consider the cost-benefit analysis when choosing which cybersecurity tools to invest in.

Protecting Your Online Information

In this section, the speaker discusses two tools that can help protect your online information. The first tool is "Have I Been Pwned," which notifies you if your email address has been exposed in a data breach. The second tool is "DeleteMe," which removes your personal information from data broker sites.

Have I Been Pwned

• Big companies like Adobe have had leaks where email addresses were exposed.

• "Have I Been Pwned" searches for your email address in publicly available breaches and sends notifications if it finds a match.

• Using this website is secure because it only uses publicly available data.

DeleteMe

• "DeleteMe" looks for personal information on data broker sites and sends opt-out requests to remove it.

• They look at over 60 different data broker sites and send quarterly reports of what information was found and removed.

• This service helps protect public figures or people who don't want their personal information easily accessible online.

Importance of Cybersecurity Education

In this section, the speaker emphasizes the importance of cybersecurity education and using the right tools to protect yourself online.

Importance of Cybersecurity Education

• It's important to educate yourself about cybersecurity risks and how to protect yourself.

• Some people may want to retreat from technology, but it's better to learn how to use it safely.

Using the Right Tools

• Using the right tools can help protect your online information.

• The speaker recommends "Have I Been Pwned" and "DeleteMe" as two useful tools for protecting your personal information.

Annual Audit of Online Accounts

In this section, Shannon talks about the importance of conducting an annual audit of online accounts to ensure security and privacy. She recommends using a password manager and checking for upgrades in security and privacy features.

Importance of Conducting an Annual Audit

• Conducting an annual audit helps to identify new security features that can be turned on.

• Check for breaches and change passwords if necessary.

• Delete unused websites or put fake information into the account to protect personal information.

• Spend a weekend doing spring cleaning of online accounts.

Hiring Cyber Security Firms

• For small businesses, hiring cyber security firms may not be necessary due to cost.

• Cybersecurity companies offer annual audits or come in to make sure that your accounts and online information are safe.

• These services can be expensive but worth it for larger companies.

Shoutouts and Conclusion

In this section, Shannon provides her social media handles and YouTube channel where she posts tutorials on security and privacy. She also mentions Hack Five's almost one million subscribers.

Social Media Handles

• Twitter: @snubs1b

• YouTube Channel: youtube.com/shannonmore

Conclusion

• Conducting an annual audit is important for maintaining online security and privacy.

• Shannon's YouTube channel offers tutorials on how to improve your own security measures.