I think KZbin just got hacked in my subscriber feed there is “Tesla” which I have not subscribed to and it’s a live stream with Elon talking about bitcoin. No one can chat either since you have to have been a subscriber for 15 + years. I should say that it’s just that channel itself and not KZbin

a few hours too late man they got linus already 😭😭😭😭

@@nerd2544 beat me to it

@@nerd2544 oh I see now rip LTT

you saw that uptick in traffic eh? lol

Linus has said on Floatplane that they're working directly with KZbin to find out how to stop this for good.

@@itskdog Hope they listen. It wouldn't surprise me if a lot more people are gonna use remote acces keys in the near future to minimize these kind of risks. Or at least prove to google the account was theirs to begin with if they get infiltrated on an active logged in session.

Linus has a great Team. He'll find a way to fix everything.

Yeah I think LTT is the biggest channel it's happened to so far

I feel that ThioJoe actually provide tech tips that is more important than LTT tbh

Yes but it's finally recoverd

Yes. Like, how can we small channel owners even contact Google support once we got hacked (there is no way to quickly contact them because Google Studio support is, well, inside KZbin Studio). And where / what is the form / method to recover our account? I think someone mentioned there is a Google form somewhere to input to, but where is that - not sure.

This is exactly why I archive all my videos on my local PC and usb hdd.

They actually almost never do that. If they do, the views and therefore the ability to get the algorithm to recommend the channel are directly connected to the videos. So by KZbin connecting a channels view time and ad sense to the video itself, if they delete the videos, then they effectively just got a useless channel. The strategy now is to private everything on the channel for that reason. Which is a good thing, because it means when people get their channels back they get everything back how they left it.

That is actually not the case, although they rarely delete videos for the reasons mentioned in the comment above. KZbin doesn't delete the videos from their servers, even if you delete them from youtube. I remember that they had tools with which you could get your videos, deleted or not, in the original upload quality. I'm not sure if they're still available, but they will definitely not delete video files from their servers for a good while because of reasons such as these hacks, and they can be restored after the dust settles down.

YT should be able to recover them IMHO, but that might not be the reality.

@@leonro I don't remember the source anymore but I believe someone said that the videos are actually deleted from atleast some CDNs

@@HapYTMC Get Ublock Origin.

Amen to that brother 👍🏾

0

Sometimes one has to wonder just how much the hackers are paying Google to look the other way.

It's because they steal the password too. They steal everything you saved on your browser and most people save the password on their browser to not retype it.

​@@robloxaalexx This KZbin hack/attack steals something much more valuable, your browser's session security token. This isn't the early 2000's where all you needed was to steal someone's username and password. We have 2FA now, a firewalled 2nd generated code that you get via SMS or through an authenticator app if you want to make major account changes, like changing account ownership. Stealing password wouldn't do anything with 2FA as you still would need the 2nd factor. That's the entire point of 2FA, it's also why the SIM swap exploit started happening to high priority targets/individuals, far easier to social engineer someone at the cellphone provider than to break 2FA. And also why authenticator app 2FA has replaced SMS 2FA for a lot of people, it stops the SIM swap exploit. With 2FA in play, even if they had access to the channel, they couldn't change account ownership unless they had the 2nd factor. This attack is more an exploit of Google's protocols. For whatever reason, Google doesn't force a 2FA reauthentication for an account ownership change allowing the hackers to completely bypass 2FA. This attack is dangerous because it bypasses 2FA, not because it breaks it.

@@robloxaalexx A lot of times saving the password also keeps you signed in so when you return to the website, it goes right in unless you log out. Amazon does this. It doesn't sign you out unless you sign yourself out. Even the app on the phone does this.

They do ask you to re-enter the account password. What are you talking about? The hackers steal all the data in your internet browsers, including all of your saved passwords. It's why I don't save my passwords in the browser anymore. They got me with a pishing scam a couple of years ago but Google sent me a notification that a new device logged into my account and I immediately locked down the whole account seconds later and I changed the password. They did manage to sync all of my mails and browsing history and all that. Google's actually much better than other websites/services when it comes to this kind of thing.

I legit once got a virus trying to download cheat codes for a GameBoy Color game. I know it sounds stupid, but believe me, IT HAPPENED.

That still is the best way to avoid getting hacked. Google should fix the 2FA bypass, but every hack of this style still starts by running an executable from a sketchy site.

@@isaacbejjani5116 i think the hackers are using your own devices to bypass the 2FA without you knowing it. I keep getting a 2FA on every new devices that I'm trying to login.

@@greatveemon2 all they are taking is the session cookie. There's no way to clone your device in the way you've made up in your head. The correct response here to make sure this can't happen is to require a non-text (SIM cards can be cloned - text messages absolutely should not be used for 2FA), non-gmail email (Google session cookies would mean they should have access to that as well) 2FA to change security settings if you have changed IP addresses. In other words require one from an account, software, or hardware that those people should not have access to. I have seen some people (who should absolutely know better) stupidly suggest that they should require a 2FA every time you change IPs but that would just make things like VPNs annoying. The vast majority of people are not going to be constantly changing their security settings though (and anyone who is has issues that this will probably help) so requiring it every time for that is fine. SIM cloning and Gmail access are almost certainly what's going wrong here. So if they just require a 2FA that isn't those, 100% of the time you attempt to change security settings when your IP has changed since you last accessed it, there's no reason to suspect that they would be able to do more than minor damage to the accounts they gain access to.

KZbin doesn't care they are making too much money.

It's ridiculous sounds especially a person the doesn't know how to used Them knew technology.

Happened to someone I watched. I didn't know who they were so I unsubbed from them until I learned what the channel was. He got his channel back.

Linus tech tips now

Most likely, nothing will change. KZbin is not run by competent people these days 😢

not likely going to amount to any additional by YT to do anything about this.

​@@geraldh.8047 It has been like this for a decade. So it's nothing new

Three of the LTT channels just got hacked with this. Hopefully when a channel as big as LTT gets targeted, KZbin decides to start paying attention to this,

@@Theunicorn2012 Guys don't install Guardio chrome extension it will have full access over your browser, this means they are logging your COOKIES, PASSWORDS, Session Tokens , Refresh Tokens , Access_Token also. I do not TRUST guardio.

Google have to prevent changing password without 2FA/U2F authentication. It is a standard procedure on bank sites. Why that basic "feature" cannot be implemented in other services?

@@Szklana147What makes it even funnier is that most lower budget and importance websites like online games and forums have that feature in place.

I would have 2) be a 1-week wait or so: 1 day isn't long for the scammers to wait, and I doubt many real account holders would be significantly hurt by having to wait a week.

@@andymerrett it's both

What if you lost your phone and you're still logged in? and when you want to change the number and password into your newly replaced phone but the problem is the 2FA is still sending the code to the phone that you have lost? And now suddenly google logged you out and locked your account after failing to enter the 2FA code.

Not all of us are geeks, it took me a long time to figure out how to get the drink holder on the desktop tower to come out, and calling geek squad to find out how to turn on the same desktop tower during a blackout to use the fireplace screensaver to keep warm until power came back on.

Aren't you just glad Susan is finally leaving who allowed scams to run wild?

@@zelowatch30 Cause the crypto bro that replaced her is going to be so much better 🙄

My go-to is to try to find it from a handful of (what I believe to be) safe download sites, such as cnet, or tomshardware. Some of those link back to the project's website, but that's fine. Preferred, actually.

Did anything happen?

No subs let's all rss to remove its blip on hacker's radars.

@@HighestRank was that even English? I have no idea what you're talking about.

Let's remember the fact he used to upload satirical tech guides back in 2015-2017

@@Reed_Peer so?

This is the second time Linus mentioned you. He needs to have you on his podcast or do a collaboration vidso.

So did I.

Watching this because Linus Tech Tips got hacked yesterday and he referenced this video in his latest video.

​@@Theunicorn2012Copycat

@iii___iii Damn that's a long time. I wouldn't be surprised if it actually started when it first came out.

It's true.

Why would I change a password for this person it's a unique password to Each in individuals.

How did you prevent this

It’s not practical to not store session cookies because then every user interaction with the remote site will require reauthenucation. Probably the best KZbin could do is have a defined set of actions which *always* require MFA like changing the channel name or password.

@@MaxPower-11 Shouldn't even require MFA. Not everyone has that enabled. Should require you to log in again, and MFA if you have that enabled.

@@S_Roach The reason why MFA (vs. just re-entering the user’s password) would be highly preferred in the scenario presented in the video is that if the victim is infected with malware that’s sophisticated enough to steal local session cookies, it could potentially also capture the current (and new) password when it is entered by the user.

Honestly for the time being this world be the only truly effective solution until something is done about this.

Which channel was that? I ask because I'm interested in the lessons they learned from being hacked. And what recommendations they gave to avoid it happening again.

Yup, as I replied in another comment, this very practice happens all the time in FB where digital mobs massively report an account so that FB bans it, and it is widely exploited because of the "anyone can report" policy. So putting a mechanism to report blocked/hijacked/owned channels is a bit more complicated than that.

I call them cirno bots Because some of them use same number with cirno AKA circle 9

I've encountered a variant of this where the scam account tells you to go to a Telegram account.

@@bitelaserkhalif Mmmmmm cirno bots

Like what? This the most 90s problem ever: if you get an attachment: scan it with an antivirus first? these days can even use your favorite cloudbased email. gmail, or skydrive or hotmail or what ever else is out their to check files.

There is not really such thing as "browser ID". We wanted to remain anonymous, ya know.

@@johncoops6897 There is if you look it up. But outside if that, haven't you seen "Trust this browser" or "Trust this device" before? There's all sorts of tracking methods, some of which have existed for over a decade. There's even new technology being developed to rely less on cookies.

Exactly , that's what I thought , this only affects Windows users then.

@@AkiraElMittico - Rubbish. It has nothing whatsoever with the operating system.

So if the hacker that has compromised your account and is now trying to make sensitive changes _isn't using Linux,_ it's useless. Doesn't make any sense. This isn't related to operating systems.

Use a local password manager. Like KeePass or something.

@@kunka592 That would be wise and probably easier, but I enjoy being able to store other stuff too (eg. 2FA backup codes & such)

Or you could just simply not shill garbage to people. You know who this wouldn't happen to? People that only work with products that they actually know meaning they're far less likely to be caught up in this because they'd already know the signs that it's a scam. If you're willing to shill random things for money you deserve to lose everything.

What to do exactly Mate

tbf LTT is also a toy channel, more specifically an RC fire truck channel

This makes me question of Google/KZbin has a security department. Even if it's one person, they should be on top of these issues.

@@Theunicorn2012 Guys don't install Guardio chrome extension it will have full access over your browser, this means they are logging your COOKIES, PASSWORDS, Session Tokens , Refresh Tokens , Access_Token also. I do not TRUST guardio.

Instead of downloading it from a link that’s sent, you could download it from the known official game website. Or if it’s a game you’ve never heard of before, could be a red flag in itself.

@@ThioJoe Well I'm not in their discord so I don't have a known link to their official website; but I know for a fact that the game exists - I played it before. When I went to a new computer, than searched it up to download, there were way more download links that showed up (most likely scams) compared to the first time I had played it (Before the scammers found the game and decided to exploit its meager popularity)

Even if the browser encrypted the cookie on-disk, it would still need to be decrypted at some point to send it to the website, so it can just wait until your browser decrypts then inject itself and scan the memory.

I saw some videos about the hack mentioned here and read a lot of comments! This is the first time I see mentioning this logout approach... The local cookie in your machine is tied to a session in the server! If you log out from your machine, that session will stop working and the stolen cookie will have no use anymore! Hacker will not be able to access your account anymore! Is there something wrong with this approach? I'm not an expert, so I'd like some validation about this. Thanks.

@@takufner As a software developer I can tell you that just logging out from your machine (read: windows log out / shut down) isn't enough. Your cookie is stored locally, and it's stored, so it's somewhere on your PC and remains until you remove the cookie or invalidate the cookie. By logging out from your KZbin account, the cookie will be invalidated. Or you can delete the cookie manually (and after refresh, you will be logged out). Or you can use incognito mode, so it doesn't save the cookies and only use the cookies one time. But thinking about this approach makes me uncertain if it's 100% waterproof. What if you log in again, and at that particular moment the hacker comes in? Then he will have access probably. My approach would probably not give 100% safety, but might lower the risk of getting hacked. Especially at inactive moments on KZbin (like why would you keep your logged in session open while you're not even using YT that day on your PC). Even more important is keeping hackers away. My approach is just some theoretical thought of me :)

Damn, they really stepped up their game didn't they?

Who else came here after LTT disaster?

Um

What’s the LTT disaster

It is not remotely over, LMG is in big trouble. Fraud.

​​@@Stinky0368Gamer Nexus explains.

I report them. I did that on another channel, that tagged me in a comment, just a few minutes ago. The replying comment copied the channel name, but added an underscore to it. Click on the vertical ellipses beside a comment, on the right-hand side, and select "report" from the very small number of options, (currently, the only option, as far as I can see).

I try to add a reply to a post by the channel owner telling them about @ThioJoe's Spammer Purge videos.

I like this idea. There would have to be some kind of waiting period to change such codes though to ensure the hacker doesn’t just reset them as soon as they get in.

do you have any idea how fast that'd go wrong? if people think youtubers hungery for that sweet google cash is bad now, just wait till that backfires and someone is goatse'd so hard they're pooping out dally the clones.

That seems unlikely: nobody unsubscribes to a channel simply because the content went missing. If anything, it's more likely they just never access said channel ever again. Nobody unsubscribes from channels in general. This is why KZbin changed to the algorithmic homepage; everyone is still subbed to random stuff from 9 years ago that they aren't interested in anymore. There's an _opportunity cost_ to it (you can't make new content and gain new subs while you're hacked), but you won't lose any meaningful number of subscribers simply because you were hacked and your videos are temporarily unavailable.

how's is it BS ? lol ? i've done it tried it on my friends, i distributed a exe netflix account checker, many people thought it was a real account checker that will getr netflix accounts but instead it logs everyone cookies, passwords, etc , even their files and were uploaded to me on a webhook discord. This is REAL dude.

Whatever makes them money, or interferes with them making money, is important. Anything else, not so much. However, tightening down on session cookies, so that cookie hijacking is impractical, at the MERE COST of privacy programs, that scramble your advertising fingerprint periodically, interfering with using KZbin, (as a creator, or at all...), should be a high priority for them. Just encode a hash of the PC's advertising fingerprint into the session cookie, and if it doesn't match, the person has EITHER had their cookies hijacked, or they scrambled their fingerprint to stay ahead of intrusive advertising. Obviously, for the security of the user's account and data, (and to better sell to them via targeted ads), you need to stay on top of these things. So, yes, I'm a little surprised Google HASN'T fixed this already, as what is, to me, an obvious step in resolving the issue, JUST HAPPENS to play right into Google's aims of selling better ads.