I have spent the last four months working on a YouTube channel. Despite two-step authentication, I had my channel stolen. Here is what has happened and how it has been dealt with by Google.
First off, thanks to everyone who emailed me, DM’d me, Facebooked me, instagram-commented, and used all of the other means of communication about this debacle. I didn’t get back to everyone; although I only have a very modest following, it seems that everyone of you got in touch, which I am very grateful for.
I started a YouTube channel a while back when I was starting to become a bit bored of the daily grind. As a commercial photographer, I don’t have an overly creative job. I am more of a problem-solver and a technician who creates concepts that are given to me. But the videos, especially the vlog, allowed me to flex my creative muscles, learn about audio and video-making, as well as trying to offload some of the information in my head that I couldn’t seem to find elsewhere on the internet.
All was going swimmingly well, most of the videos were well received, and I was getting better at making them. I also noted that my main work was getting better too, as I was far happier with the addition of my new creative outlet. Life was good.
The Channel Hack
However, one afternoon, while checking in on the comments, I was suddenly kicked out of my channel. The icon to log in had also vanished, which seemed a bit strange. I logged into my Google account and noted that I wasn’t prompted to use the app to authenticate my log-in, and when looking at the past activity, I could see a new location for a log-in had been made, which was obviously the hackers who had come in and moved the channel to their own Google account. After the initial panic, I tried to contact Google or YouTube. This task was seemingly impossible. There are no numbers, no email addresses, or really any means of contacting them. A bit of googling (ironic, I know) told me to post about it in the Google chat forums and that someone would be in touch. I did, but they weren't
A day or so later, I decided to report my channel and in doing so, I made a copyright claim. This suddenly made a live chat come up with a chap called Bryan, who quickly asked for some details and continued to email me a reference number. Bryan was a particularly polite and calming person from over at Google, and although he wasn’t the chap with the answers, he did make me feel like things were being taken care of. After three weeks of chasing him and being ignored on questions as to how two-step was broken, if my Ad Sense account and money were safe, and if the link from Ad Sense to my bank was safe, I received an email to confirm that I had been hacked and that they would transfer my channel back to me. It all seemed very simple. No mention of the security of my bank details or the two-step authentication.
I am still waiting for the final channel transfer so that I can remove all of the films that the hackers uploaded, but hopefully, I will be back to uploading sometime next week.
So, What Did I Learn From All of This?
Nothing. I did everything I should have, and something bad happened. It felt bad, it’s fixed now, and I feel better. I doubt it was a personal attack, merely a gang of people taking masses of channels to make a few dollars.
I read a lot about phishing emails, and I assumed that this must have been how they got in. Between social media and email, I receive about 100-200 messages a day. Since then, I realized that it was all set up through an account that I haven’t opened an email from in five years, so I am not doubtful that it was a phishing scam that I fell for. Either way, I will certainly be more vigilant, and I have since had someone look at all of my IT systems and add VPNs to all of my machines and phones. Although losing a small YouTube channel is only a personal blow, had anything else been hacked, it would have been extremely distressing.
If This Happens to You, Do the Following.
- Report a video on your channel for copyright infringement or explicit content.
- Click on the live chat button, and send over as many details as you can.
- Sit and wait. It took three weeks for mine to be secured.
- Don’t panic. It seems to be happening to a lot of people, and Google seems to have a good system to fix it.
Wow. That is stunning. I would love an update if you learn anything more about how they did this and what could be done to avoid it.
Likewise haha, just received another email and because my insurance company are involved I may end up getting one.
I have been getting regular phishing emails from someone using Sendgrid. I have a small YT channel, but it's clear they were after my Adsense. The emails were addressed to the address I have for public contact on my YT channel, this email is different than the email address Google contacts me through.
They created a very authentic looking email, the first one I received contained this:
"Invalid click activity detected on your YouTube channel. If you would like to appeal this decision and want your account to be reviewed again, click the link below to complete the form. Otherwise, your Adsense and YouTube account will be suspended due to invalid ad click activity."
Then they followed up with these:
"Some videos you recently uploaded to your channel have been flagged as inappropriate. Edit inappropriate videos by clicking the link below. If you don't edit inappropriate videos on your channel, your channel will be suspended. YouTube will never allow inappropriate video uploads."
"With the aim of increasing easy intelligibility and transparency, We are updating our Terms of service for YouTube channels that are open to making money. Please accept our new terms of service by clicking on the link below. Otherwise, the monetization feature of your YouTube channel will be disabled within 24 hours. The new terms of service apply to people with monetization enabled. Thank you for being part of the YouTube community."
I have only received 3 email variations, all have been reported to abuse@sendgrid.com, which appears to be a blackhole. The irony is that my abuse report was delayed while trying to forward the message from the abuse@sendgrid.com to an @gmail.com account.
The phishing campaign was perpetrated by people using Amazon AWS to connect to Sendgrid email hosting and relay messages to recipients.
This is my experience, but the best quality phishing emails I've seen yet.
My recommendations are:
a) Establish a separate email address for "business inquiries" that is linked to your About page on YouTube
b) Use a dedicated Google account for your YT channel and Adsense communication, one that is not used for casual communication
c) Always inspect the "From" and "Reply-To" headers of received email messages, Thunderbird shows these by default, scammers often set the "From" to a legitimate address, but add a "Reply-to" which is the scammer.
d) Always check the "To" header, if you receive an email that is in the wrong context (receiving official Google communications in your personal or business account), then it's an indication of a phishing attempt.
e) Setup email filters to send legitimate Google communications to a specific folder, ensure the rules are very concise.
Hey,
I actually do follow all of these, clearly somewhere along the line I have slipped up, but I can not work out where. I do receive a lot of phishing emails to all of my email accounts, but I wouldn't click on anything in them.
However, after a 16 hour days shooting on a 4 day long shoot, anything is possible. I assume some form of fatigue and stupidity must have been involved.
If you want some fresh eyes, I can offer to help you. I'm technically savvy and would be happy to lend a fresh perspective on the problem. Root cause analysis is my day job :-)
Good to know. Thanks.
A lot of YouTube channels have been hacked in the last few months, there's plenty of videos showing which channels have been hammered, taken out or maliciously used.
So far the silence has been deafening on Alphabet/YouTube's side as to why there's been a massive uptick in hacks or take downs being issued since the end of last year.most have been small to medium channels but others have been major channels for their segment notably Cosplay and Geek such as D&D/Warhammer, etc.
If you use an Android phone there's conjecture that a malicious apps is siphoning credentials, as been reported for Fb/Google:
https://arstechnica.com/information-technology/2020/02/two-new-android-m...
Google really has to start paying attention to how badly run the store is let alone how bad the underlying platform is for security. This extends to how badly YouTube is treating it's creators despite bringing in 15 billion in light of copyright strikes, channel take downs and so on. Issues that's progressively gotten worse with very little recourse or justice.
Yeah I am pretty shocked at googles lack of care for people who make them money. Although, they are the only platform who pay their creators, so compared to Facebook they are still gods.
> Google really has to start paying attention to how badly run the store is let alone how bad the underlying platform is for security
Utterly ignorant nonsense. We know how the large majority of hacks happened: channel owners were stupid -
https://www.forbes.com/sites/daveywinder/2019/09/23/youtube-security-war...
If you're stupid enough to give your house keys to someone because they ask, don't blame your landlord.
A few months ago we got a VERY convincing phishing email that really seemed to be from Google but did not get caught by gmail's anti-phishing tools. The login included two-factor authentication that texted me the passcode... I was about to type it in when I noticed something suspicious about the website (something like the o in Google had an accent over it or there was a misspelling on the page) and immediately reset our Google password and warned every YouTuber I know... sorry you weren't on that list!
FWIW I have a background in IT security and I'm super paranoid so I should have been the last person tricked by phishing... but this phish was top-notch.
Another component to that scam is sending password reset confirmations in a foreign language. You receive a text message in a language you don't know, and you're supposed to give that code to someone you're communicating with, all under the guise that they are legitimate and the message was just a way of confirming they are who they say they are. Someone tried to pull that with me on a Craigslist listing, I ran the language through Google translate before communicating with them, the message was something to the effect: "This is your secret code, do not share it with anyone".
Tony - do you still have those emails, or even screenshots?
Thanks Tony, yeah I do get a lot of phishing emails, but I don't ever open links in emails even if I think I know who they are from. I also worked in IT.
I can only assume that I was tiered from a shoot and did something stupid, but not 2 step was ever triggered so I can't for the life of me work out how they got around that.
If it wasn't phishing, then the next possibilities are that your password was cracked, or that it was stolen by malware on your own machine or if you used a public wifi hotspot.
Cracking is very unlikely because google uses captchas to prevent brute force attacks. You should never use an important account via a wifi you can't be sure of. And in your position I'd check for malware - and then probably blank your drive and reinstall your apps from scratch, being very careful only to install trustworthy one.
Yeah I wiped all of my machines straight away as I was concerned about malware. Also purchased a vpn.
I am assuming that your gmail account wasn't hacked or taken over. If it is secure, then there is security hole in Youtube that the hackers have somehow figured out a way to take advantage of.
As far as I am aware Gmail is all good.
Arun - you're obviously not a professional, so I think you should avoid making FUD posts. Or if you are a professional, then explain ***why*** you think a flaw in youtube's security is more likely than eg a wifi intercept or malware...
Thank you for posting this. Wasn't aware this was such a common practice. Glad you got things taken care of!
Thanks Zac.
I didn't realise it was common either until I googled it and found loads of others had suffered the same fate.
Never use the link in the emails. Open your internet browser and go to your account. If the problem is real, be it YT, PayPal, Apple, Gmail, whatever, it will be visible there. If it isn't forward the mail to the security/phishing/reporting folks at that service.
yeah this has always been my practice. So I am not entirely sure how I fell foul. I must have clicked on something at some point during sleep deprivation or a stressful end of day admin binge. But I wont generally even open emails haha. Especially from Paypal etc as there is nothing in them of use as I have all the notifications within the account.
I'm still not clear on exactly what happened. Are you saying they used one of your own older accounts to bypass your 2-step system, or that you likely clicked on a bad link in the huge amount of daily email? I'm asking because I trust 2-step and want to know if there is a vulnerability in it that I need to take precautions about.
Brian, I am with you on 2 factor and I am concerned about any potential vulnerabilities in 2 factor authentication.
I will be honest, I am also not sure.
I can't imagine that I clicked on a link in an email, although human error is always the most probably explanation.
If I did, I didn't get a 2 step prompt and if I didn't and it was another form of hack, I also didn't get a 2 step prompt from my app.
As I understand it, if I gave you my password now, you wouldn't be able to log in without having my phone, my thumb print for my phone and my added security code for my phone. This is the part that concerns me the most.
https://www.youtube.com/watch?v=a6iW-8xPw3k
Joking aside, glad to hear things have been resolved.
Thanks Dave
I would move your youtube account management email address to an obscure address that no one other than you (e.g fdvbkhjnvfoihfdavkrea789@gmail.com) hiving it off onto a account only used for youtube will mean it is very unlikely to get spam/phishing email (any email into that account other than youtube will indicate a security breach) I would also use a anti phishing AV like trendmicro using the browser plug in that has saved my ass a few times blocking phishing websites... great story btw, thanks for sharing :-)
so "Studio TV" isn't you? Yours and others videos are listed there.
Well haha, it should be called tin house studio, and will be again once I get it back. They changed the name a few days ago. Anything about photography on there is mine, any hallmark film is not.
A link in a email is a no go.
DO NOT OPEN LINKS FROM EMAILS, period
Try to go to the website and log directly from there.
Generally speaking I don't. Unless it is part of an email conversation where I know the person and it is not the first email in the conversation.
Currently I am assuming human error on my part, but the email account in question hasn't had an email opened in several years, so I am a bit concerned about how this has happened.
That's crazy. I'm glad you're going to be getting your channel back.
I wonder how common it is for channels to be hacked.
Thanks,
It seems that there has been a wave of hacks recently .
Wait, your channel will be going back to the way it was before? But I learned so much about erectile dysfunction medication from "your" latest videos :(
haha, I think a lot of people will be disappointed.
If "Google seems to have a good system to fix it", it wouldn't take 3 weeks to get the account back, and there would be a clear way to make the claim instead of reporting your own video on your own (stolen) account.
I agree. This looks like a very poor system to deal with it! A system to report such a problem should exist, rather than this "copyright claim" work around. And 3 weeks (and counting) is way too long. A company the size of Google should fix such problems within a day or two.
Yeah I was perhaps being a bit kind here. Although I also acknowledge that they have no incentive to fix this for someone like myself who is just using it for a hobby.
Man, what a saga. So glad this got resolved!
Thanks Andy, me too!
On the plus side you should be well versed in how to shoot for Hallmark now!
The Sickie Sisters don't give a rats ass about anyone but themselves. Good luck!
Gutted to read this, I love your channel and your IG. Just gone on my youtube account and you are now "Studio TV" with a bunch of Hallmark movies on it. Hope this gets sorted soon for you.
Glad you got it back! I was relieved to heard that you made some progress from your instagram reply. I wasn't sure if you had sold your account (some ASMR people are doing that now) or were indeed hacked. Can't wait to see some new NORMAL content soon!!
I'm not an IT guy, but work for a Canadian cell co..
A popular fraud is to port a cell # to another carrier, and use the 2-factor to clear out bank accounts.
Perry, that is very scarey. Any recommendations how to protect against that?
EDIT: Here is an article on how Port-Out Fraud is done, and a few tips for minimizing risk: https://www.fcc.gov/port-out-fraud-targets-your-private-accounts
Scott, just found this info on Forbes and sounds similar to what might have happed to you....it is reported that some of those affected were using 2 factor authentication.
https://www.forbes.com/sites/daveywinder/2019/09/23/youtube-security-war...
This video takes you through the steps to recover your channel
https://youtu.be/5rkkamhZTPw
It looks like it must not be an easy fix. I hope you get the channel back soon!