YouTube Channels Are Being HACKED! (How to Protect Yourself)

00:00

our YouTube channel got taken over by

00:02

hackers and there's so many new attacks

00:04

out there oftentimes you don't know what

00:06

you need to do to protect your accounts

00:08

so how do you protect your YouTube

00:10

channel from hackers Forbes posted this

00:12

article about this YT Steeler attack so

00:15

oftentimes it's incredibly hard to know

00:18

if somebody has stolen this information

00:20

until it happens they start working so

00:23

quickly to change everything around to

00:25

make you lose permissions make you lose

00:27

access I'm talking with a cyber security

00:29

expert to give us the updates we need to

00:31

know right now

00:33

recently we actually lost our think

00:36

media podcast channel for 10 days it was

00:38

very scary we thought all of our videos

00:40

and all of our hard work was gone and so

00:43

we're going to be unpacking that

00:44

situation and then looking into some of

00:46

the things like tools and mistakes and

00:49

how creators can protect themselves not

00:51

just on YouTube but their online

00:52

presence overall and what are some of

00:54

the biggest threats right now cyber

00:57

threats are costing creators massive

01:00

millions and even billions of dollars

01:02

businesses it's a it's a horrible issue

01:05

and so I'm super excited to be with

01:07

Shannon Morse who's here today she's a

01:09

security and privacy Advocate and she's

01:12

an entrepreneur whose goal is to help

01:14

Inspire others to live life to the

01:16

fullest while not sacrificing their

01:18

identity ethics or privacy and cool fact

01:22

about Shannon is she built her first

01:24

computer around age nine and then later

01:26

went on to teach yourself HTML and

01:30

simple coding while building websites

01:31

dedicated to her favorite fan so she's

01:34

been in the game and she is uh

01:36

incredible and was generous enough to

01:38

reach out on Twitter when I was like we

01:40

got hacked she shared some valuable

01:43

resources there and so Shannon welcome

01:45

to the think media podcast hi Sean thank

01:48

you so much for having me on and that

01:50

was such a sweet intro

01:52

I appreciate you so much we were able to

01:54

connect to vidsummit a few years back

01:56

and you've got an incredible YouTube

01:57

channel with these types of tips but I

02:00

want to first break into

02:03

um just kind of the story and those that

02:05

are subscribers here know we got hacked

02:07

all of a sudden our Channel's taking

02:08

over it's changed from think media to

02:11

Tesla official I've seen this happen

02:14

many times oftentimes on my Smart TV I

02:16

see Tesla CEO or Tesla official is live

02:20

and Elon is talking and I'm like that's

02:23

probably not Elon Musk but they they're

02:25

this is very common actually they're

02:27

hacking a lot of channels of different

02:28

sizes privating the videos and then

02:31

pushing out a live stream with

02:32

pre-recorded Elon Musk content and then

02:36

soliciting crypto especially because

02:38

elon's a crypto kind of advocate right

02:40

and making a lot of money and a lot of

02:43

friends rallied to help me with the

02:45

situation here and so

02:48

um the first thing is is you kind of

02:50

said this is maybe a YT Steel their

02:52

account maybe you can ask me some

02:54

questions and let's unpack this

02:55

situation before we maybe go a little

02:56

bit macro and give tactical things for

02:59

everybody listening to apply yeah

03:01

absolutely I'm so glad that you asked me

03:04

to do this video with you too because I

03:06

haven't talked directly with any of my

03:08

friends who have had their channels

03:10

hacked yet so this is a really good

03:12

learning educational experience for me

03:14

so I can tell people better how to

03:17

protect themselves so yeah I'm curious

03:19

do you know what it was that ended up

03:22

allowing somebody to hack your account

03:24

do you know what the target entry point

03:26

was so

03:28

um what we do know is that Google

03:30

emailed us and they said they emailed us

03:32

the date date of the hack was Wednesday

03:34

uh January 11 2003 that they 2003 to

03:43

2023.

03:45

they've had access to your account for

03:48

such a long time before YouTube even

03:50

existed for that matter yeah amazing

03:53

um now what's scary is we did have

03:55

two-factor authentication right on good

03:58

and to be clear of how that works at

04:00

least the way we have it set it up is

04:01

when you log into the YouTube channel if

04:04

someone else is logged in and one of our

04:06

vulnerabilities is we do have multiple

04:08

people working on our channels this was

04:10

also not our main Channel with over 2

04:12

million subscribers this was our podcast

04:14

channel right around 75 000 at the time

04:16

I think when we do two Factor this will

04:19

happen in our world all the time I'm

04:21

watching YouTube on my phone I'm on my

04:23

desktop and a screen will pop up and

04:25

it'll say hey somebody in such and such

04:27

State somebody in such and such place is

04:29

trying to log in and you can approve or

04:31

deny we maybe became a little bit lacks

04:34

with approving and denying that and and

04:36

of course we know where our team works

04:38

and they're all spread out in different

04:40

states and so whether it wasn't me that

04:43

approved it somebody that had access

04:45

that's logged in could approve somebody

04:46

else and we believe that was the

04:48

vulnerability point and if you say try

04:50

another way it wasn't a text message

04:52

code situation that happened it was that

04:55

approver deny and Mel Melissa on her

04:58

team mentioned that I think she saw one

05:01

pop up was suspicious of where it was

05:05

did not click it but I think someone

05:06

else on our team clicked to prove

05:10

um and so that's all I know that at that

05:12

moment though once they got past

05:15

two-factor authentication Google said

05:18

they changed the code to a physical USB

05:21

key so you can coach us on that a little

05:24

bit later of how powerful that would wow

05:25

we had one of those but then they took

05:28

over by now we were pushed out and it

05:31

was also interesting is some of our

05:33

managers who did not didn't have

05:34

authority were still in there so they

05:36

started watching them making changes

05:38

they watched them videos to private they

05:41

watch them and thank God they didn't

05:42

delete that's terrifying yeah so they

05:45

made the videos all private they didn't

05:47

private the live stream so the main page

05:48

is all private the live streams were

05:50

like still public half of them were

05:52

privated and then what was also super

05:54

funny was after the channel was hacked

05:56

it became Tesla official they delete the

05:58

out page they changed the cover the logo

06:00

they try to do a live stream and one of

06:02

our managers shut it down because they

06:03

were allowed so that was even funnier

06:05

like so it's almost like they were kind

06:06

of fighting back and forth inside of

06:08

there ultimately there's only so much

06:10

you can do if they already have access

06:12

to the highest level and then all the

06:14

managers out so it's just them and we

06:16

also then had a schedule upload because

06:18

we upload our podcast on Tuesday and on

06:20

Thursday and so a video came out with no

06:23

thumbnail because we had it uploaded one

06:24

and so all of a sudden my latest video

06:26

dropped on Tesla official and some

06:29

people saw it and they're like did you

06:30

get hacked where'd all your other videos

06:31

go is this the right channel did someone

06:33

steal Sean's content and so oh my

06:36

goodness you reach out to we started

06:39

with tweeting YouTube on Twitter which

06:41

is what they tell people to do although

06:44

all they did was send us to the main

06:45

page where we had to fill out email and

06:48

reach out to Google support and I did my

06:52

friend Benji Travis who you know

06:53

co-author of YouTube Secrets he said try

06:55

to make you know try to really blow it

06:57

up and get everyone to share I don't

06:59

think they expedited anything which is

07:01

fine it is what it is but because it

07:03

took a while it was a while to get

07:05

responses it was days to get a response

07:07

it was you know 48 hours then it was

07:10

like a while to kind of go back and

07:12

forth and get some things going and so

07:14

for 10 days the channel was down but

07:16

eventually mid mid that process the

07:20

hacker got kicked out but they then

07:23

slowly started restoring our channel to

07:25

us and then when we got it back

07:27

[Music]

07:28

um so the attackers changed the YouTube

07:30

channel name from think media podcast to

07:32

Tesla official I'm reading an email they

07:34

sent they summarized it right they

07:35

removed the team's emails no longer

07:37

granting them moderator they changed the

07:39

icon Avatar banner and made all the

07:41

videos change to private and that all

07:43

happened on January 11 2023. again well

07:46

when we discovered though that we got

07:48

the channel back

07:49

we turn all the private videos back to

07:52

public had to re-upload the cover and

07:55

rebuild the home page and just all the

07:57

different features because all of that

07:59

was just kind of zeroed out and um so

08:01

it's a pretty wild story it turns into a

08:03

lot of work and I think when it comes to

08:06

YouTube content creation there's so many

08:08

creators who want to get the ball

08:10

rolling and want to start growing their

08:12

accounts and want to start growing their

08:14

channels but if you're growing and

08:16

you're not protecting it in an efficient

08:18

manner and there's so many new attacks

08:20

out there that oftentimes you don't know

08:22

what you need to do to protect your

08:24

accounts then you could potentially lose

08:26

income and I feel like when it comes to

08:28

your channel as an example it's it can

08:32

absolutely affect your growth on the

08:35

platform because you're not uploading

08:37

during that time and it can affect your

08:38

income and if you have a large growing

08:41

Channel if you're depending on that

08:43

income it can really really hurt you 100

08:45

and what's interesting is I had my

08:48

friend Jake Larson who that runs YouTube

08:50

ads more for like service professionals

08:52

and experts and

08:54

he said five of their channels got

08:56

hacked

08:57

the day before Christmas oh no another

09:00

person who I didn't get their permission

09:02

who we both know so I don't know if they

09:04

want to know that they got hacked also

09:06

got hacked in one of in their channel

09:08

manager DM me and said hey we went

09:09

through this we did get it back it was

09:11

frustrating and so I had a lot of what

09:13

was interesting is a lot is subjective

09:16

but

09:17

it's this appears to be very common and

09:19

it was kind of like a wave like it just

09:21

was hitting a lot of different people

09:23

and so you mentioned a YT Steeler attack

09:26

and yes Thomas Frank said it's probably

09:31

browser hijacking or session hijacking

09:34

so what are some of those things we can

09:36

maybe tackle those of what maybe could

09:38

have happened here yeah absolutely so um

09:40

just I wouldn't I would say like eight

09:43

months ago or so uh Forbes posted this

09:45

article about this YT Steeler attack

09:48

that's what this attack is being called

09:51

and the whole point of it is to steal

09:54

YouTube authentication cookies uh and

09:57

kind of to in order to understand what

09:59

these authentication cookies do it's

10:01

whenever you you know hop on your

10:03

computer or hop on your phone and you

10:04

first log into your account you're

10:06

clicking around inside your account you

10:08

don't have to log in every single time

10:09

you change your page and oftentimes you

10:12

can stay logged in for like a month at a

10:14

time before you have to re-log into your

10:16

account and that's because because you

10:18

have cookies on your computer that are

10:19

saving your information and saving it as

10:22

this special session and if somebody

10:25

else is able to steal the code for that

10:29

session then they could use that same

10:31

information

10:32

to bypass all the credentials and log

10:36

into your account on their own computer

10:38

even though it's a completely different

10:40

machine it might be on a different IP

10:42

address it might be in a completely

10:43

different country it can work and in the

10:46

case of the YT Steeler attack a lot of

10:49

people are purporting that this is

10:51

probably malware that somehow ends up on

10:54

your machine that is harvesting that

10:57

information it's harvesting the

10:58

credentials or it's harvesting the

11:00

session ID in order to steal it and gain

11:03

access to the account so oftentimes it's

11:05

incredibly hard to know if somebody has

11:09

stolen this information until it happens

11:11

and then as soon as it happens and

11:13

they're in they start working so quickly

11:15

to change everything around to make you

11:17

lose permissions make you lose access

11:19

that you end up having a closed down

11:21

account for like 10 days like in your

11:23

example until you can finally get access

11:25

back wow and so ultimately then we can

11:29

break down what why what are the dumb

11:32

mistakes people make or just the

11:34

unknowing mistakes they make that could

11:36

allow and lead to malware getting on

11:38

their machine and is there also tools

11:41

you recommend for maybe someone saying

11:43

is their malware on my machine right now

11:45

yeah absolutely so um Malwarebytes 100

11:49

that's one of my favorite tools it's

11:51

free and you can download it um

11:53

sometimes they prompt you to pay for the

11:55

free service you can totally upgrade if

11:56

you want to but I use the free version a

11:58

Windows Defender works wonderfully well

12:01

for antivirus if you're on a Windows

12:03

computer if you're using Linux or Mac if

12:07

you want to switch to one of those those

12:09

don't seem to be as targeted as much

12:11

when it comes to these kinds of attacks

12:13

so you could totally switch operating

12:15

systems but if you're like me and you're

12:16

a big Windows geek then I fully

12:18

understand if you wanted one too so that

12:20

can definitely help and it seems like

12:23

one of the biggest ways that people are

12:25

getting attacked is through fake emails

12:29

that are being sent to them so one of

12:32

the ways is maybe an attacker pretends

12:35

or copies a YouTube copyright warning

12:39

and they email it to you it looks

12:40

totally legit but it's not so if you

12:43

click on a link within that email and

12:45

you log into your account that's giving

12:47

them access to your credentials that

12:49

could allow them to get access to your

12:51

information another way is fake

12:55

sponsorship or fake advertisement emails

12:57

a lot of people are getting those too

12:59

and luckily a lot of content creators

13:01

have been sharing those on social media

13:03

so they'll share screenshots and be like

13:05

I don't think this is real you can

13:07

oftentimes tell from the domain but

13:09

domains can also be duplicated they can

13:12

be faked so you can't really depend on

13:15

just the domain address and an email

13:17

address and an email form oftentimes you

13:20

have to look at more than just that look

13:22

at the grammar you could look up the

13:25

name of the person signing the email and

13:27

see if they're on LinkedIn or social

13:29

media and you can reach out to them on

13:31

social media and say hey are you

13:33

actually like did you send me this email

13:35

from your PR Company or from your brand

13:37

did you actually want to sponsor on my

13:39

channel and oftentimes you'll get a

13:41

reply like yes I did or no that's not me

13:43

so that's one way that you can kind of

13:45

see if somebody is sending you a fake

13:47

email or see if it's legitimate oh my

13:50

gosh I could go so deep when it comes to

13:51

just like email protection in ways that

13:54

uh these attackers are able to hack into

13:57

content creators YouTube's account just

13:59

through email oftentimes it just comes

14:01

down to making you click a fake link

14:03

that sends you to a website that looks

14:06

like YouTube but it's not so they are

14:08

able to steal your credentials so

14:10

username and password or they're getting

14:13

you to click on like maybe a PDF like

14:15

here's this PDF please check this to see

14:18

what we're looking for for our

14:19

sponsorship inquiry you click on it and

14:22

it downloads malware

14:23

um oftentimes executables or malware

14:26

will be embedded inside these kinds of

14:28

documents like PDFs or docx type of

14:31

files and those can end up downloading

14:34

onto your computer and that can be a

14:37

really really bad way

14:39

for them to actually get into your

14:41

information and steal your cookies steal

14:43

your session ID wow and and so is this

14:46

also it's what's called phishing or it's

14:49

related to fish yeah yeah absolutely

14:51

yeah so fishing is uh it's you know the

14:55

name kind of makes sense when you think

14:57

about it when you go to a lake or go to

14:59

the ocean you're fishing you're fishing

15:01

for fish and you're hoping that one of

15:03

them is gonna stick on your line you can

15:04

and then you can take it home and cook

15:06

it for dinner that night if you're into

15:07

a fish I am I love salmon it's so

15:10

delicious but online fishing is very

15:13

similar you have spear fishing where

15:15

they're directly targeting people and

15:17

then you have regular fishing where an

15:20

attacker might send out like a massive

15:22

email to a ton of content creators and

15:24

hopefully one of them hopefully one

15:26

catches on to that line and downloads

15:29

that malware because if even one person

15:31

does it then it's worth their time then

15:33

they might be able to make some income

15:35

from it especially if they're sending

15:36

out like live streams for you to I don't

15:38

know send money to a crypto wallet or

15:40

something

15:41

100 and I see this in fact you know uh I

15:45

use coinbase and I'm thinking about the

15:48

different emails I get and constantly

15:50

it's like your account's under attack or

15:52

please update your thing or you just in

15:56

fact this is

15:58

interesting and relevant once we got

16:00

hacked and I started sharing on social

16:02

media

16:03

I people tried to double hack me on

16:05

Twitter like they started saying like I

16:07

see those all the time yeah like oh we

16:09

can help like oh we we go help you get

16:12

your account back and I'll be looking

16:13

like you're just a little sketchy

16:15

account on top of that and so you know

16:18

just send us your info and we'll so I'm

16:20

like what oh my gosh like what a what a

16:23

Sinister plot here of

16:25

trying to hack the hacked and so

16:30

um and and so so probably somebody

16:33

clicked the link uh maybe logged in

16:36

their credentials uh click the link or

16:38

open an email they shouldn't have right

16:41

yeah are you vulnerable from just

16:43

clicking a link potentially yeah you can

16:47

be

16:48

um a lot of times there are malicious

16:50

websites where as soon as you visit them

16:53

they might try to start scraping data

16:56

from your computer from your session or

16:59

from your machine that you are using and

17:02

from that data that might be able to

17:04

scrape enough information about it to

17:06

you know either get you to automatically

17:09

download some kind of executable or some

17:11

kind of malware or they might be able to

17:13

steal enough information to gain access

17:15

to your accounts one way that you can

17:18

tell if an account is malicious or not

17:21

is if you which don't click on Links at

17:24

all one extension I use in Chrome is

17:26

called u-block origin it's completely

17:29

free it starts with the U block origin

17:31

and that one will trigger a little

17:34

response within the browser that says

17:36

hey this is a potentially malicious link

17:38

do you want to proceed and it gives you

17:40

the option to proceed yes or no

17:42

oftentimes I find that it is a little

17:45

bit trigger happy when it comes to

17:47

awarding you but it's a good thing to

17:49

have if you want to be extremely

17:50

cautious and extremely skeptical when it

17:53

comes to Links in your email another way

17:55

to completely bypass clicking on links

17:57

in email is just to go straight to the

18:00

YouTube Studio because if you're going

18:02

to have a prompt about like a copyright

18:04

notice or a warning on your account or

18:06

if there's some kind of like advertising

18:09

Revenue issue sign into your AdSense

18:11

account directly as opposed to clicking

18:13

on a link in your email or go to

18:15

studio.youtube.com and log in directly

18:17

as opposed to clicking on an email

18:19

because any of those prompts you're

18:21

going to see on your dashboard they're

18:22

not just going to send it to your email

18:24

they're going to put it on your

18:25

dashboard as well so that it's very

18:26

clear and you can respond directly to

18:29

YouTube or to AdSense or whatever some

18:32

attacker is trying to steal from you

18:34

[Music]

18:35

this video is brought to you by stream

18:37

yard stream yard is our go-to platform

18:40

for streaming to YouTube and Facebook

18:41

with an incredibly easy to use interface

18:44

for built-in branding transitions text

18:47

lower thirds and seamlessly bringing on

18:49

guests it really is one of the best

18:50

options when it comes to live streaming

18:52

and what's so cool is they've

18:54

implemented a brand new feature called

18:55

local recording take control of your

18:57

audio and video with local recordings by

19:00

separating out your audio and video from

19:02

your guests this feature gives you the

19:03

control over your content for later use

19:06

making it perfect for podcasts and video

19:08

creators just go to streamwoodthink.com

19:10

to get started now

19:13

so powerful now you shared three tips

19:16

and then you may have others in far as

19:18

far as like well what do we do to

19:20

protect ourselves how do we solve this

19:21

problem and on Twitter you sent

19:23

you mentioned number one use ubico to

19:26

protect your account from two-factor

19:28

authentication phishing I looked these

19:30

up they're little USB keys or USBC uh

19:34

that you plug into your physical machine

19:37

it looks like they're right around 50 60

19:40

70 on Amazon where's mine oh I have one

19:44

here yes that's what it looks like I

19:47

have a sticker on mine so I can tell

19:48

that it's mine that's how I identify it

19:51

but yes you can pick these up for you

19:53

know less than 50 bucks I recommend

19:55

getting two

19:57

and you can register any account online

20:00

that accepts Hardware tokens or Hardware

20:03

keys for multi-factor authentication you

20:06

can plug one of those in and use it to

20:09

log into your account the way those work

20:10

is you type in your username and

20:12

password you click on on login and then

20:15

on a next page it'll say like hey you

20:17

have to plug in your Hardware Key and

20:19

click on it in order to authenticate

20:21

your account and allow you to

20:23

authenticate and log into your account

20:25

this is kind of an upgrade from using

20:28

codes that are sent to your email is

20:30

sent to text message and it's also an

20:33

upgrade from using an application that

20:36

generates little six digit codes and

20:37

you've probably seen that happen a lot

20:39

with like if you're logging into your

20:41

bank they might send you a six digit

20:42

code or your ISP or your uh your email

20:47

address even a lot of them automatically

20:50

force you to set up 2fa and you might

20:52

not even know it's happening but then

20:54

you get sent the six digit code you have

20:56

to type it in within like 60 seconds to

20:58

log in the problem with that though is

21:00

when you're typing in these codes if

21:02

somebody's stuck malware on your

21:04

computer they could be watching your

21:05

screen and they could get that code and

21:07

they could get your username and

21:08

password so if they have all three of

21:11

those little pieces of information that

21:13

you type in then they could log in no

21:14

problem the thing with the hardware key

21:16

is they can't duplicate it because they

21:18

don't have the hardware key so unless

21:20

they're like in your house and they

21:22

steal your key they're not going to be

21:24

able to log in so if they're trying to

21:26

log in with username password and

21:28

Hardware Key they're going to get stuck

21:29

they're going to get blocked by that

21:31

brick wall made by the ubikey Google

21:34

makes one called the Google Titan and

21:36

it's going to stop them right in their

21:37

tracks and they won't be able to log in

21:39

now if they have somehow stolen your

21:42

session ID like with the YT Steeler

21:45

attack this is the big reason why we

21:47

don't get want to get malware on our

21:48

computers that could allow them to

21:50

bypass 2fa but that doesn't necessarily

21:53

mean that you shouldn't have a hardware

21:55

key on your account because that that's

21:57

going to protect you from even more

21:59

attacks outside of YouTube stealer that

22:02

are that might potentially try to hit

22:04

you from other various circumstances so

22:07

you should be taking a kind of a

22:09

holistic approach to online security and

22:11

privacy when it comes to your account

22:13

and trying to think like a hacker like

22:15

think of all the different ways that an

22:17

attacker could potentially get into your

22:19

account and make sure that you're

22:20

protecting it even further try to take

22:22

it a step further so you're never the

22:24

low-hanging fruit because the higher up

22:26

you are in in terms of security and

22:29

privacy the better off you'll be and the

22:31

less likely you will be a Target and if

22:34

you were in a situation where

22:37

question one you're an individual

22:39

Creator so you get one of these physical

22:41

keys and I will Shannon's got some

22:44

resources and some videos on this she

22:46

reviewed some we'll link those in the

22:48

show notes as well as uh do you

22:50

recommend yubico over Google's Titan I

22:53

do and the main reason is because

22:55

they're not very expensive so they're

22:58

honestly it's like it's an upfront cost

23:00

and then it's free to use forever until

23:03

like you break one or lose one and then

23:05

you re-buy like just buy a new one

23:07

um and it's they have a lot of different

23:10

options so Google Titan has a few

23:13

different options which will round you

23:15

out pretty well but if you want to use

23:17

them across all sorts of different

23:19

platforms like I'm a I'm a tech reviewer

23:21

so I have like an iPhone and I have a

23:24

Android device and I have a Linux box

23:26

and a Windows computer so I need all

23:29

sorts of different ports NFC Bluetooth

23:30

whatever so I have a bunch of different

23:33

ubicos uh and that way I can use um

23:36

across the board like across any of the

23:38

different browsers that I have or

23:40

different operating systems that I have

23:41

the nice thing about it too is whenever

23:44

you set one of these up on your YouTube

23:46

account you can set up multiple of them

23:48

so if you're worried that you're going

23:49

to lose one don't be like just buy two

23:52

set them both up at the same time store

23:55

one away in a safe or like if you have a

23:58

bank safe at your bank you could store

23:59

it there just store it somewhere safe

24:01

and secure where like nobody can get to

24:04

it and then use your other one whenever

24:06

you need to log in and like we mentioned

24:09

earlier with cookies and sessions

24:11

cookies and sessions allow you to stay

24:13

logged in for a long period of time so

24:15

you don't have to use it every single

24:16

day you're only going to have to use it

24:18

whenever you need to set up a new

24:20

account set up a new computer or a phone

24:24

or if for some reason you've erased all

24:27

your cookies and you need to re-log into

24:29

your account then you would need to use

24:31

your ubico again so you don't really

24:33

have to carry it around with your

24:35

everywhere or anything like that like

24:36

it's not very inconvenient to use I have

24:39

one that I generally just keep plugged

24:41

into my computer in a secure space and

24:43

then my other one I keep in a secure

24:45

place that nobody knows about it's a

24:47

secret place so if you're an individual

24:51

Creator getting two would be smart

24:53

exactly you just described if you were

24:56

in our case and there were some people

24:58

that you wanted States apart would you

25:01

get five or ten of them and and mail

25:04

them out and get them all so that that

25:07

anybody that needed to be at that level

25:08

would have this physical

25:11

ubico USB drive at that level absolutely

25:15

and in fact a lot of companies have been

25:17

doing that this year

25:18

um for example there's a big company

25:21

called cloudflare they're in charge of a

25:24

bunch of connections online they make

25:26

sure that your connections work and they

25:28

protect you from attacks on the internet

25:30

if you have a domain with them without

25:32

going into too much detail about

25:33

cloudflare themselves they're a very

25:35

large company with tons of employees

25:37

they were attacked last year and this

25:42

this attacker was trying to get into

25:43

employee accounts trying to fish them

25:46

for information trying to get somebody

25:47

to get accidentally give them like their

25:50

username and password in 2fa code but

25:52

they got locked because they were using

25:54

Hardware keys so because the attacker

25:57

didn't have one of these Hardware keys

25:58

they weren't able to get in due to that

26:01

cause like that's a great example of

26:03

what you know us Youtubers with a team

26:05

of like 20 or less people even more than

26:07

that if you if you have a big team you

26:10

can just buy two per person and have

26:12

each person set up a couple of them just

26:15

walk them through it's really really

26:17

easy to set them up have them store one

26:19

away have them keep one on their

26:20

keychain or whatever is more convenient

26:22

for them and then they can use that to

26:24

log in and then like every maybe every

26:27

week or every month or so you could even

26:29

like ask them to delete their cookies

26:31

and refresh their browser history so

26:34

that if there was some kind of malware

26:37

on their computer that was trying to

26:38

steal their session ID then the session

26:40

ID gets refreshed and they would have to

26:42

re-log in and use that new use that

26:44

ubico one more time when you mentioned

26:46

that I believe her name was Melissa who

26:48

had if she had mentioned that she saw

26:50

the approve or deny request on her phone

26:53

so that's an attack which is currently

26:55

being used by a lot of attackers called

26:58

2fa it's where they're trying to get you

27:01

to just approve it just to prove that

27:04

that request it's called 2fa fatigue and

27:07

that's where you just get so tired of

27:09

seeing the approve or deny that

27:10

eventually you're like oh it must be

27:12

somebody on my team like it's 9 9 pm

27:14

whatever I'm tired like I'm just gonna

27:15

hit approve and it's fine like it looks

27:18

legit right so it must be legit 2fa

27:20

fatigue has been used for a lot of these

27:22

companies Reddit twilio I believe Uber

27:27

was one of those so a lot of companies

27:29

have had their 2fa bypassed or attacked

27:33

specifically because these attackers are

27:35

getting smarter so by upgrading to

27:37

Hardware keys not only are you

27:40

protecting yourself from you know

27:41

potentially somebody sealing your codes

27:43

but also these uh 2fa fatigue requests

27:47

so make sure that everybody has one of

27:49

these and it's it's a much better way to

27:52

protect yourself

27:53

I we were in 2fa of fatigue

27:58

and we got comfortable yeah or like any

28:02

we're like yeah this is cool and it's

28:03

safe you know we're all whether we're

28:05

logged in just approved like people are

28:07

doing it all day every day and as you

28:09

scale you know this we got to have you

28:11

back sometime in the future because this

28:12

is an ongoing conversation and ongoing

28:15

challenge obviously because as you scale

28:18

you get more people and some of this

28:20

stuff feels like it is it's just it's

28:22

kind of frustrating and you're like how

28:24

do we do this at scale how do we you

28:26

know keep people safe and uh another

28:29

thing that might be interesting to you

28:31

was

28:32

we're pretty sophisticated maybe the ant

28:35

the better thing to say is we are pretty

28:37

unsophisticated as a company and we need

28:39

to grow up and become sophisticated and

28:43

you know I started shooting videos of

28:45

course like all creators like just in my

28:46

bedroom and solo Creator and then

28:49

eventually started growing team and and

28:52

even having like a website you know now

28:55

we have like an HR department like

28:56

whatever but like we um had a majority

29:01

of people were just using their own

29:02

personal emails

29:07

media.com and so even having yeah but

29:11

even any thoughts on that yeah actually

29:15

um that's that's actually a really smart

29:17

idea is to move everybody to a like

29:19

think media account or something similar

29:21

to that and one thing to consider is do

29:25

you publicize the email address that you

29:27

log into YouTube with

29:29

and if you do that could give an

29:32

attacker

29:33

extra information that they could use to

29:35

potentially breach into or hack into

29:37

your account so I'll give you an example

29:40

um I use uh I don't know I'll use Sailor

29:44

Moon gmail.com that's not really my

29:46

email address so don't try it but let's

29:48

say I'm using Sailor Moon gmail.com to

29:50

log into my YouTube account and I put

29:52

that on my about page on my YouTube

29:53

channel and I say this is how you can

29:55

contact me if you want to do like ads or

29:58

sponsors or promotions or whatever and I

30:00

get this email from somebody and it says

30:02

uh um there was a problem with your ad

30:04

revenue and you have to log into this

30:06

link and it's to the Sailor Moon

30:08

gmail.com account the same one that I

30:10

used to log in if I see that I'm going

30:12

to think oh this might be legit so I

30:15

should probably check my ad Revenue so I

30:16

get paid this month because ooh I gotta

30:18

pay my mortgage

30:20

if you're using a separate account for

30:23

your logins then you are for public

30:26

information then the attacker is going

30:28

to get the public email and try to email

30:31

you there but if it's going to an email

30:33

inbox that is public that is not the one

30:37

you used to log in then you would know

30:40

immediately that would be a red flag

30:42

that somebody is trying to hack into

30:44

your account because Google is not going

30:47

to send you an email to the public

30:48

account when they can send it to the

30:50

email that you use to log in the

30:52

legitimate Google knows what that login

30:54

is knows that email address but nobody

30:57

else should if you're keeping it private

30:59

so why would Google send you an email to

31:01

your public one

31:02

that's a big road flag so

31:04

anybody out there who is just using like

31:07

one email address to log into all your

31:09

things make your likes just transfer

31:12

your YouTube account to a different

31:14

email address and make sure it's private

31:17

like don't tell anybody what that email

31:19

account is and then set up set it up

31:21

with 2fa and that way the only emails

31:23

you should get there are legitimate ones

31:25

from like Google

31:26

and I think we had changed the front

31:29

facing email but because I started think

31:32

media back in 2010 I sometimes would use

31:37

it as like my main Gmail and even sure

31:39

yeah people you know like business

31:41

connections so like a small group of

31:43

people and that might not have been the

31:45

vulnerability point but your tip there

31:46

is use a separate Gmail for your YouTube

31:49

account that's dedicated right yeah that

31:52

is not shared not for in and outbound

31:54

just for logging into your precious

31:57

YouTube Just yeah just for logging in

31:59

like just almost treat it like a

32:01

password like you wouldn't tell anybody

32:03

your password don't tell anybody what

32:05

the email address associated with your

32:07

YouTube account is either that obviously

32:10

is going to work better if you're just

32:12

one a one-person operation but if you do

32:15

have a team then maybe require them to

32:18

use a separate email account to log in

32:20

as well and don't give them any access

32:22

or permissions on their public email

32:24

addresses smart so good and then another

32:28

tip you shared was audit online security

32:30

especially connected third-party apps

32:33

whatever yeah what those could be

32:35

so third-party apps are applications

32:38

that allow you to like stick add-ons

32:41

onto your YouTube channel

32:43

um some of the ones that I use are like

32:45

vid IQ uh tubebuddy those are like

32:48

third-party add-ons for your account

32:50

usually those are going to authenticate

32:53

with your account via this thing code

32:55

called oauth which is a secure way to

32:58

log into your Google account and

33:01

basically pair the two

33:03

accounts together your YouTube account

33:05

and then the third party add-on and

33:07

those are really great and very

33:08

convenient because they let you do all

33:10

sorts of cool things but if you're kind

33:12

of slap happy when it comes to adding

33:14

things to your YouTube account you could

33:15

add something that's malicious I don't

33:18

think that vid IQ or tubebuddy are

33:21

malicious in fact I love those add-ons

33:23

they're amazing and they've helped me

33:25

grow my business but when it comes to

33:27

like other just random things that you

33:29

might find out there that somebody

33:30

randomly recommended do some research

33:33

you know see if they do their own

33:35

security audits for their own company

33:38

see if they allow you to log in Via

33:41

oauth or if they require you to type in

33:43

your username and password in for

33:45

YouTube into their product because they

33:49

really shouldn't be they should just be

33:50

using authorization through Google so

33:53

there's uh if you do see any like weird

33:56

third-party apps that you don't

33:57

recognize just deny them just close them

33:59

out and disapprove them or remove them

34:02

from your account from your YouTube

34:03

account on the back end and that's one

34:06

less thing that you would have to worry

34:07

about and I believe you can control what

34:10

third-party apps and like what browsers

34:12

and what

34:13

devices you're logged into through your

34:16

Google account that's attached to your

34:17

YouTube so you can go to those settings

34:19

through there is there any vulnerability

34:20

I'm a big Google Chrome user is there

34:23

any vulnerability of having certain

34:25

extensions on Google Chrome

34:28

that could make their way all the way

34:30

over to to mess with you somewhere else

34:33

and I'm looking at mine I have like like

34:37

rackets I have like 20 extensions so

34:39

yeah don't worry good IQ uh right now

34:43

I've got Zoom one up there we are using

34:45

one pass which we can talk about that in

34:48

a bit okay well yeah and one password so

34:52

but our our extensions that's different

34:54

than third-party apps connected to your

34:57

YouTube channel which is right about

34:58

being hacked here but any thoughts there

35:00

yeah that's a really good question

35:02

um there have been some Google Chrome

35:06

extensions for the Chrome browser that

35:08

were

35:09

allowing allowing attackers to

35:12

distribute malware through the extension

35:14

store like the online store for

35:16

extensions where you can download and

35:17

install them so that has been found

35:19

before however none of them I believe

35:22

have been used directly associated with

35:24

attacking YouTube channels not that I

35:26

know of but that doesn't mean that they

35:28

don't exist so that's another way that

35:30

you could definitely like audit your

35:32

online security for this holistic

35:34

approach is to definitely look at like

35:37

what kind of extensions you've

35:38

downloaded uh what you've downloaded on

35:40

your computer itself and see if there's

35:42

anything that you're not using day to

35:44

day for your business or for your

35:45

workplace that you could just delete

35:47

entirely or uninstall that's a really

35:49

good way to protect yourself I'm glad

35:52

you brought that up actually thinking

35:54

about kind of macro as we create a game

35:56

plan and you know I want to encourage

35:59

listeners stick around because I've got

36:00

some juicy questions just about the