I'm so glad you got your account back! That was actually pretty quick, too. It annoys me so much that every time I travel, I have to jump through a bunch of hoops to log into my KZbin account, including verifications on my phone, and email, and sometimes I even have to use a VPN myself just to get into my own account reasonable amount of time. Meanwhile, creators routinely get hacked by some dude out of Russia and Google's system seems to think it's fine. 🙄 Also, I just checked my email, and I have that exact same email about a sponsorship with Black Magic. They really are targeting everyone. Creators have to be constantly vigilant. Thank you SO much for sharing this experience, so that other creators can learn from this!

I work as a cyber security engineer, and one of my pet peeves with Windows is that they have chosen to hide file extensions by default, which makes this exact type of attack much more likely to succeed. Had file extensions been visible on the file name, it's much more likely that you wouldn't have launched that file. Nothing is foolproof, of course, because we're all humans, and we all make mistakes. (This is one of the first settings I change when I start working with files on any system I've not worked on before.)

1:55 first thing to do on a new windows install is to enable show file extensions

Shining this much light on this type of scam is immensely useful. Sorry it happened, and thanks for the detailed info.

My favorite part of this video was Matthias whipping out his custom-made wooden selfie stick, haha!

Matthias: Even after just being hacked, still in the best scientific manner calculates the rate of his videos being taken down in n/min ❤

Oh god that must have been very scary! Good thing you recovered it quick. But I can't imagine the feeling of losing my livelihood !

And now we are all waiting for episode two in this new series :-)

"Microsoft Defender didn't find anything" I feel your pain!

The “Session Cookie Attack” was easily fixed by KZbin. How? Even with the session enabled, if you want to change your KZbin account or delete all videos, you should need MORE than one “active session”. For example, “2-factor authentication” when deleting videos, changing account name, etc.

Some bits to consider: There's a non-zero risk involved with your other PCs now when you used your USB drive between them. Another potential vector is any other devices that were on your network or that you had credentials for saved on the original PC or if anything else on the network is unsecured (I'm thinking raspberry pis or any devices which had remote access or shared folders or the like).

Glad to be a part of such an involved and caring community! You get out what you put in and your supply of care and genuine effort for the videos and research you do is truly inspiring. Here's to many years of not getting hacked again, hopefully!

I'm sorry to hear that you were hacked, but pleased that you were able to get back in relatively quickly and mitigate any future attacks. Thank you also for sharing this, which helps to educate people and fight against these hackers/scammers.

As soon as I saw your update that you had control of the channel again, I went in and began rewatching all of your videos, hopefully triggering youtube to recommend them to others. Glad you're back in control!

I’ve seen so many of my favorite KZbinrs get hacked by this same method. The in depth video and explanation of everything really caught my interest. And props to you for keeping time stamps of everything down to the second during this time. You never fail to entertain us!

Glad you’re back & thanks for sharing this experience!

Good to hear that you are back up and running again!

Thank you for sharing your experience. Too many people are too embarrassed to share these details that are so helpful in keeping other people safe. I can't imagine the stress of this whole mess, and I hope you have some time to do something fun and relaxing.

Matthias I am so pleased you managed to resolve this and super impressed how quickly you managed it. Great to stick 2 fingers up to the hackers

Love how you are so candid and detailed in showing all the details, really interesting (and terrible!). Sorry you had to go through this man. That's the one thing that is so wrong with big tech companies, it is almost impossible to get a human to help you. If this happened to a small creator, even with it being so obvious, it almost always means they are completely out of luck (happened to my mother, account is just considered lost now).

Glad you're back! Thank you for sharing such details so we can learn not to fall for this attack. I wish I could give you 2 thumbs up!

So glad you're back up in relatively short time. On the hack itself, I'd suggest using the "Always Show Extensions" option in Windows. Also, quite concerning that Windows Defender didn't return an issue. I'd be curious to see if any other antivirus software would return anything.

So sorry that it happened to you and I'm glad you managed to get back fast enough. Thank you for sharing these details with us.

Thanks for documenting your experience, Matthias. This is a good warning for other youtubers.

Thank you for making such a detailed video on this. Everything you make is excellent.

I knew someone i followed was hacked but I couldn’t figure out who. I’m glad you got it back so quickly.

Thank you for taking the time to share this with us. That helps people to be on the lookout for this.

So glad you got it all sorted back out! Sorry for all ur trouble, long term subscriber that still enjoys your videos!!!

So glad to hear you got the account back. When I saw your previous video I went to their scam live stream and reported it, hoping I was joining a few thousands doing the same thing.

Glad you got it back so quickly. I'm going to take some notes here for my own KZbin channel.

Dear Matt, I am so sorry to hear this happened to you! I remember when John Heisz got hacked as well and my heart went out to him as well. I'm happy to hear things are resolved. Hats off to your logical way of thinking in regard to protecting the highest asset first and working your way down! Smart Thinking! ! ! ! ! Best Wishes and Take Care, Tom

Oh crap! That must have been a whirlwind of emotions that night! Glad you're back Matthias!

Thanks for sharing the gory details. I always learn stuff from your video, and this is no exception. Nice work . . .

Geesh! It's never ending with the hackers. They sit there scamming good people all day long. Sorry to hear this but so glad you recovered as most do not.

I'm so glad things worked out. Me and my WW buddies were sharing and talking about your video on the Domini Design tool box hinge right before your channel got hit. We were gutted to think your breakdown was lost haha

So glad you got your account back. Thank you for giving such a detailed breakdown of how recovery works.

Been watching you for some 15+ years. Good job man with the timeline. Sorry this happened to you. Don't click links!

Wow. That must have been crazy. Glad you went into so much detail. I’m not a KZbinr but just the whole process was eye opening

THANKS FOR THE VID! Not just useful for youtubers getting hacked but any person getting hacked in a phishing manner like this and what they can/should do immediately upon realizing it.

samething happened to LTT. KZbin can fix this issue. Automatically issue a 2-factor warning when logging in from an unusual IP address. Changing your account phone number should automatically initiate a 2 factor auth request. These steps would actually save google money as employees wouldn't need to spend time fixing accounts.

Thank you for outlining the attack. Very interesting.

Ugh! So sorry you had to go through this. Stuff of nightmares. So glad you got your channel back; and they didn't delete your content.

Glad to see the channel is back again, hopefully everything is fully resolved for you moving forward!

Definitely nice to have a big channel with a lot of people that can help you. People with small channels would not fare so well. On another note it's critical to always carefully read your emails before taking action on them. The first sentence of the first email was a huge red flag for me.

As someone who works in IT, session hijacking is the number one way to access someone's session and bypass 2FA, its unfortunately very simple to do. i stopped opening my webmail's on my regular PC as while back, but instead I open a Windows Sandbox session and open my webmail there. This allows me to control what cookies are being retained by the session as well as being able to close the window if anything nefarious was to be downloaded and ran. The only credentials that would be compromised, were the ones i opened in that Sandbox, meaning my attack surface is a darn sight smaller and I would only have to reset those passwords and tokens, and not all my other accounts. Nor would i have think about wiping and reloading my PC, in fear that something might have infected it. Windows Sandbox upon closing would blow away anything that got installed. It's free and baked into Windows 10 onwards.

I'm sorry that happened to you! And I'm glad you were able to recover your account!

Wow, what an awesome video. Documented everything. You truly are a systematic individual 🎉 glad you got the account back

Hi Matthias, before I sent you an email about this ordeal, I actually reported your channel to youtube with a note about someone hijacking your account and leveraging your subscriber base to push this crypto crap. And advised them to reach out to the original owner. Hope it helped in locking the channel and the aftermath. Good to know things are back to normal. Keep it up.

I hope this shows to people who think that they are too smart/savvy to be scammed, that they are also vulnerable. Matthias is a tech wizard with years of experience, and the scammers still managed to get him.

first of all, I'm glad you were able to get your channel back. TBH, the email was very convincing & even the files. I'm shocked that Windows defender could detect it. RAR file is so to hide from Windows Defender. Wow, they even added a security key! This video is very useful to learn what not to do - thanks for posting it. I think it's important to be able to contact KZbin asap as you've mentioned via Twitter (X) perhaps as all other means are locked out. And disconnect internet , reset windows with clearing the All the drives (formatting).

WOW! Thank you for telling us your story - very helpful! I'm amazed and happy that you got your account back!

My X account was hacked and suspended. A couple years later, they still refuse to reverse the suspension. Glad you had better luck with KZbin!

Confused how it's 2024 and session cookies don't include at least the general information about the system they are created on and the location data to limit their use to the same system and location. A check box for 'only this IP' would be great too. Makes it a hassle on portable devices having to log in all the time, but having the option would be nice. At the very least, a session token should never be enough to change passwords or recovery emails... there's no excuse to not have to enter your credentials before making changes like that.

Wow. Sorry you had to go thru this but appreciate that you shared your experience with us all to hopefully prevent us from experiencing the same!

Sorry this happened to you. Glad you got it back so fast. Thank you for sharing this information, it will help a lot of people prevent this from happening to them.

Glad you got it all back. Use a virtual machine for any odd stuff. In fact use the virtual machine for most email and then use your regular machine for the exception. I’m not familiar with this attack so I can’t say it would have protected you 100%. But at least the infected machine aspect would be really easy to fix without a full system rebuild. Thanks for sharing.

Sad to hear this has happened. It always troubles me that Microsoft Windows default behaviour is to hide file extensions, it would be a massive help in these times when you have no idea what type of file you're opening.

Happy to see that your problems were resolved so quickly and comparatively easily. And thanks for sharing such a detailed and "straight forward description" as I believe it will help other get a better understanding of how it can happen. And thereb make them at least a bit less at risk due to their own behaviour. Forewarned it's forearmed Brgds

Fascinating. Thank you for showing us all how to handle such a cyber attack!!

Jesus, what a stressful 6 hours that must have been! I'm so glad you were able to get things up and running again, and I'm sorry these bastards found a way through, it's not like you aren't an intelligent person. It's scary that they always seem to find a way to slip the net. Best of luck for 2024!

Session hijacking bypasses MFA, since the session cookie they're stealing is from an already authenticated session. Meaning they don't have to log in, and MFA wouldn't have stopped this.

Pew, glad that worked out rather quick for you and you have all video back! IO was very nervous, seeing the video on the second channel! Also; Thank you very much for creating this time table! Really puts into perspective just how fast these things can go (wrong). I wonder what the actual goal of these miserable hackers is. Big Channels get flagged for hacked pretty much immediately, so the hackers don't actually have any gain for their efford spend. And small channels may take longer to recover, but - they are small. Less views, less engagement. So what gives?

Thank you for making this video. It's hard to tell others about your mistakes, but it's extremely valuable.

Since I had unsub'd ripple I now get to subscribe, re-watch and like all the old woodgears videos.

2:15 Also, the unpacked contents of a rar file will not be marked as potentially unsafe like contents of zip files. So you don’t get an additional warning when starting the malicious executable.

Well done, Matthias - you look pretty calm about it all. I was so frazzled when it happened to us!

Whew, that is a detailed saga. Thanks for making this.

My mother always told me to avoid black magic.

It is so sad that companies resort to social media to communicate with their customers when there are still a lot of people that do not use social media.

I'm so glad you were able to recover your channel in such a short time, I was not one of those lucky people. It could have been me , again... I switched to Resolve 2 months ago and I LOVE it I'm still using the free version I'm going to buy the paid version only for small improvements, so again I would have been compromise in my brand new PC.... I'm so glad it ended like this

Thanks for making this vid and showing how it happened, it's extremely useful information. Also very glad you were able to recover your account.

Great to see you back Matthias! Is "woodgears" a permanent channel name to distuingish from before the attack if you like, or is it just a temporary measure? (I like both!)

You would think that Google should recognize a session being reused from a different location. Logging out that sesssion would be enough. I'm probably missing something. Good to see you're up and running (but the channel name is now simply woodgears)

Glad you got this resolved promptly. Keep up with the content, you have a great channel.

Great you're back up and running, it's an easy mistake to make! And well done being so honest about your mistake, it takes a great strength of character to be able to do that.

An encrypted RAR also means all the Antivirus measures in the chain of mailservers can't scan it including your own PC's AV until you unRAR. Although it seems Defender didn't pick it up at that point here.

That preview pic is amazing 😂

So sry to hear about this. Glad you're back up and running. Windows 10 Pro has a sandbox. Made it worth the extra cost to me.

Glad you got it back, and hopefully there isn't too much residual damage. The fact that even with this video you have an Excel sheet of a bunch of data is hilarious! One note, it looks like the vanity name of the channel is still set to 'woodgears', so you might need to set that back. While I don't agree with a lot of the people flaming Google for this, social engineering will always be a problem, they really do need to improve some of the processes around these issues. For one, after the same attack hit LTT, Google claimed they were beefing up the security surrounding session keys, but clearly that isn't the case. Additionally, the fact that it is basically impossible to get in touch with anyone at Google without having a preexisting YT rep is a problem. I've had my own security issues with Google, and have no way to get any information about them because I can't contact anyone. Everything is just an automated response with redundant and useless information. Also, the fact that Google disabled my physical security key and replaced it with a prompt on any device logged into the YT app is absurd. That's far better than no 2FA, and almost certainly better than SMS, but no you don't remove my security method.

Still embarrassing that the fastest way to Google support is by going though friggin Twitter. You'd think they would have improved this process after some big channels (like LinusTechTips) went though the exact same adventure some time ago. I do wonder if they are as as fast and responsive for people with tiny channels.

For how often this happens to big youtubers, the process for recovery on Google’s end really demonstrates how little they care about their creators.

I think that sharing these events with the level of detail that you have done is what helps the most to avoid in the future and be better prepared... It is a shame that the services and companies are not very efficient in helping the user. Excellent Mathias and thanks for sharing.

Thanks for all your videos!

Glad you got it back!!

6 hours to recover is, honestly, blindingly fast. This is the shortest I've EVER heard of. Even LTT, who apparently have a POC at KZbin that they called within minutes, took more than 12 hours.

I’m in CyberSecurity and I have to say, it was pretty bad that you clicked on it driven by excitement but INCREDIBLY well done by pulling the plug as soon as you realized something was fishy. Big fan of your videos as they are all very informative. Great job of the timeline for an after action report and even better that you shared it for others to learn. Keep up the wonderful work and remember, if it’s too good to be true, it’s likely false.

Going for a walk. Love it. Well done for staying calm under fire, great to see the channel back. Glad this video popped up so I could resubscribe.

I'm so happy you got it back! Thank you for being you

Is there any good reason why they want you to be logged in to report being hacked? Seems like the most ludicrous and bizarre requirement, it just baffles me. It's the equivalent of reporting your car stolen and the police asking you to drive it down to the station so they can take a photo of it.

I'll never understand why Windows users choose to hide file extensions. That's one of the first things I change after a fresh Windows install.

Crazy. Thanks for the heads-up!

The 32minutes walk was key in this story. We are all very happy to have you back!

I knew you were going to say 2FA wasn't enabled. Please everyone take that as a sign to enable 2FA for every account you have that supports it. Good on you for sharing the details of everything.

Wood Gears!!! 💕

Thanks for documenting and the information process.

Man, Matthias, thanks for sharing all of this... sorry for the headache, but it's very useful, and very kind of you to share all the details. So... my guess was right, this was a session cookie hijack attack. Seemed like it because I think lots of KZbin account hacks goes through this. I also heard this follow through to go into connected devices and disable it all, because it's what connects your account service side to your PCs via the session cookies. Kinda complicated to understand. I have half guesses and half questions here... not a specialist, I just read a lot on these things. Not for Matthias specifically, but perhaps people in the know in the comments. So... afaik, Gmail itself usually does not get hijacked because seems it's a bit more hardened against this kind of attack, not sure if this is true or not. Good thing Matthias setup a separate account for KZbin though, can't imagine the extra headache that it would've been if the main Gmail account went with it. Is that right though? Gmail seems to keep a session in a similar way to KZbin, but perhaps there's something more under there... some verification that Gmail does that KZbin does not. This is a bit why all these connected accounts makes me nervous... the possibility of being hacked in one service and getting all the rest compromised with it. Other half guess half question - I think, and I may be wrong, that these session hijack attacks are very specific. It's like, a ready made attack that goes specifically after an KZbin account, and perhaps a few more things, but it doesn't like let the hacker have free roam inside the PC. Could be wrong here, not sure. It's more because of a speed and practical standpoint - the malware goes straight after whatever required files it needs to impersonate the KZbin session. Anyways, glad that you solved it relatively fast Matthias.

Always check your file types😊

If there’s a faster easier way, Matthias will master it, including getting his account back.

This is more scary proof that scams can happen to anyone. You don't get to feel that your tech savviness will prevent you from being a victim. I am definitely above average on my understanding of computers, but am no where near as knowledgeable as Matias. So glad to hear you got back up so quickly!

We have so many customers complaining about having to use MFA and 2 party authentication, and VPN to connect to their email and work networks. This is a prime example on why those are so important. I run all of that on all my machines, and phone. My son didn't want to and he got hacked. Now he gladly runs it. Gotta protect yourself against it in these modern times. Tons of accounts get hacked everyday and people's financial stuff is used/sold and they can be financially drained by it. Thanks for posting the video on getting back up, and glad no real damage appears to have happened.