YouTube channel Linus Tech Tips and two other Linus Media Group YouTube channels have been restored after a major hack allowed a bad actor to do things like livestream crypto scam videos, change channel names, and even delete videos. In a new video, owner Linus Sebastian explains that the breach bypassed things like password and two-factor protections because the bad actor targeted the session tokens that keep you logged in to websites.
According to Sebastian, someone on the Linus Media Group’s team downloaded “what appeared to be a sponsorship offer from a potential partner” and launched the included PDF with the terms of that offer. But Sebastian says this offer actually included malware that accessed “all user data from both their installed browsers” — including session tokens — which effectively gave the bad actor “an exact copy” of the browsers that they could export and use to wreak havoc without needing to enter security credentials.
Linus Tech Tips, TechLinked, and Techquickie are all back, but Sebastian has some suggestions for YouTube to prevent future breaches of a similar nature. For example, he’d like to see greater security options for certain channel attributes (according to Sebastian, you can change the name of a channel without having to enter a password or use two-factor authentication) and some kind of confirmation or verification request if somebody tries to mass delete videos.
“After being alerted by the Linus Tech Tips team that their account was compromised due to unauthorized access, our team investigated the issue and worked with them to secure and restore their account,” YouTube spokesperson Elena Hernandez said in a statement to The Verge. We’ve asked if the company will be making any changes to help fight breaches like this in the future.
These sorts of YouTube channel takeovers have become increasingly common as of late, and changes like Sebastian’s recommendations would hopefully prevent them from happening in the future. I do recommend watching Sebastian’s full video explanation, which includes more details about what went down. But be warned: the video includes some security footage of a naked (though blurred) Sebastian in his house as he works to figure out what’s going on.
Update March 24th, 2:03PM ET: Added statement from YouTube.