advertisement
Have all your videos on YouTube simply vanished into thin air? Are there strange images in place of your profile picture and cover photo? Something suspicious about the account description? How about the videos that have been uploaded – not you?
Chances are that your YouTube account has been successfully compromised by bad actors. And if you're panicking, breathe easy knowing that it has happened to many others in the past.
While all the affected YouTube accounts were eventually restored, the incident left many users wondering if they could be next. In their interest, here's a nifty guide on what hacked YouTube users can do to claw back their account.
What are the ways in which your YouTube account can get hacked?
Since a YouTube account is only accessible by logging into the linked Google account, it is very likely that the latter is the point of vulnerability. This would also explain why YouTuber users who've been victims of such attacks reported that their emails had been hacked too.
Primarily, hackers use tactics such as phishing to obtain unauthorised access to the Google accounts. It would perhaps involve tricking users into entering their account login credentials through a fake message or an email pointing out billing issues with your Netflix account.
Alternatively, hackers could also deploy malware by embedding it in suspicious links or documents. "Someone on our team downloaded what appeared to be a sponsorship offer from a potential partner" and launched a PDF that included malware, said Linus Sebastian, whose popular YouTube channel was hacked in March this year.
Once the system is infected with malware, hackers would be able to download a copy of your browser data, and steal the session tokens that keep you logged into a website. It goes to show that enabling two-factor authentication (2FA) is also not enough anymore.
Man-in-the-middle (MiTM) attacks are another way of bypassing 2FA. "Think of it this way, most people use OTPs which come through SMSes for 2FA. If an SMS service, which is generally non-encrypted, gets hacked as many applications have the permissions to read your messages, then 2FA can be bypassed," Software Freedom Law Centre (SFLC) counsel Radhika Jhalani told The Quint.
How do you keep your YouTube account from getting hacked?
In order to keep hackers from stealing your session tokens, you can sign into your YouTube account in incognito mode as it deletes browser cookies once you stop private browsing.
The standard practice of not clicking on suspicious links or downloading unverified documents still stands. Keeping your browser up-to-date with the latest version is also crucial.
Google also recommends that "if you use Two-Step Verification, you can add backups to give you more ways to verify it’s you."
How do you recover your YouTube account if it’s been hacked?
If your account has been breached by an interloper but you can still sign into your Google account, go the Security tab on the account's page and sign out any unfamiliar device that has logged in.
But if you can't get into your account, you'll have to "go to the account recovery page, and answer the questions as best you can," as per Google Help Center.
"Reset your password when prompted. Choose a strong password that you haven't already used with this account," it added.
How long does it take for the YouTube account to be restored?
After Mojo Story's YouTube account was hacked, its founding editor Barkha Dutt had alleged that the platform was slow to react. "I dont know how many times we urged @YouTube to freeze the platform so that the hackers could not alter it. But we kept being told "process of investigation has to be followed" - and now its gone," she tweeted.
However, according to the Google Help Centre, "Account recovery requests can be delayed for a few hours or a number of days, depending on a variety of risk factors."
"For example, if you added more security to your account by setting up 2-Step Verification, your account recovery request might be delayed for longer," it added.
Does it help to be verified or know someone who works at YouTube?
A YouTube spokesperson denied that verified users are able to recover their hacked accounts more easily than others.
According to the platform, "Verified channels simply help distinguish official channels from other channels with similar names on YouTube. And, verified channels do not get extra features on YouTube, and they do not represent awards, milestones, or endorsement from YouTube. Channels over 100,000 subscribers are eligible to apply for verification."
While it certainly can't hurt to know someone at YouTube, it is not a requisite to recover your compromised account. "Whenever our team is notified and the account recovery form is filled up, someone from YouTube will reach out to support on steps to secure and restore the account," the spokesperson said.
Is it good advice to backup your YouTube content?
There's nothing wrong with backing up your YouTube content on an external device or cloud storage platform. But if your channel is being managed by a team, perhaps a better option would be to enable granular permission control.
"You can have multiple people manage your channel without giving them access to your Google Account," as per the platform. The roles defined by YouTube are:
Owner
Manager
Editor
Editor (limited)
Subtitle editor
Viewer
Viewer (limited)
Out of these, only the Owner has the ability to delete the channel.
"We also discovered during this investigation by the YouTube backend team that was helping us, that the hackers made all of our videos private and that's why we couldn't see them," journalist Barkha Dutt revealed in a video posted on Twitter.
"And we thought our entire account had been deleted," she added.
What steps has YouTube taken to secure your account?
Detecting phishing attempts: "We protect Gmail users from nearly 15 billion unwanted messages a day, blocking more than 99.9% of spam, phishing and malware," according to YouTube.
"Google Safe Browsing technology is built directly into Chrome and intercepts attempts before they ever reach you, and this technology is available via an API for other browsers and services to integrate and protect more people," it further said.
Using AI/ML: "Messages by Google uses machine learning models to help proactively detect 1.5 billion spam, phishing and scam messages every month. It looks for known patterns and either diverts bad messages into the spam folder or warns you if it notices something suspicious," as per YouTube.
Mandating 2FA: "Since 2021, we’ve successfully auto-enabled 2SV (two step verification) for over 150 million people, and we've also required it for over 2 million of our YouTube creators. As a result of this effort, we have seen a 50% decrease in accounts being compromised among those users. (as of Feb 2022)," the video-sharing platform revealed to The Quint.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)