The issue is that your current session allows you to just change your password without entering your old pw or any other verification or 2FA. Same with apple and icloud. You should be allowed to disable those 'convenience vulnerabilities'

Google can sometimes be half decent at flagging sites if someone reports it via their Safe Browsing form. I assume it’s partly automated and affected by the number of reports, so a bigger channel will have more people reporting the domain if they know to. But I’ve reported some sites just with their public form and it was flagged well within an hour. Another thing is apparently even if Safe Browsing flags a site, it doesn’t get blocked by chrome immediately unless you have “enhanced protection” on in chrome settings, which checks every site you visit against Safe Browsing, though of course that could be considered a privacy tradeoff. Otherwise with “standard protection”, I don’t think it will flag by default on chrome until you get the latest offline list updated which seems to happen within a day.

Silver lining here is that Linus putting the spotlight on this issue might ACTUALLY get us some kind of resolution to this ongoing, massive problem. The fact the Google has not been serious about doing something about this, and Antimalware services aren't doing enough to snuff out this crap, LTT could shed light on the issue that other KZfaqrs have been ignored for. If something can be done, I'm grateful, just sorry for all the people that have gone through this, especially those with more to lose.

The company has scaled in weird ways. Despite having dozens of employees, some aspects are remnants from when there were much fewer resources. For example, they still don't have a dedicated server admin or seemingly anyone tech aware who isn't working deadlines on videos. As a result, stuff like this keeps happening. More than once Linus, the CEO, had to leave in the middle of a podcast because something in the server room was down. They lost a NAS because no one read the logs for months as multiple hard drives failed. There are probably dozens more stories like this. They're already beyond the point needing someone looking at this stuff full time; with a second building they probably need more than one person. Instead they just scatter these responsibilities around to be done by whoever, whenever they aren't filming videos and no one is really in charge of even basic administration. I wouldn't have a hard time believing that dozens of employees not only had credentials but were perpetually logged into LTT and didn't even have session management. That is, the LTT account was exposed as all these people were logged into it in Chrome browsing random BS during lunch break, waiting for videos to upload, etc. Because that's the kind of thing you do when it's just you and your buddy running a little KZfaq channel and you never change your behaviors as the business grows.

1 month of no MentalOutlaw, time to start catching up

Good thing it happend to linus. Hes the one most likely to make a giant wave in the YT community to force YT to finally do something.

This is a real "hard-R" moment.

LTT isn't my first stop for technical information these days, but I am always interested in what they have to say. Hope they get it all back up and running soon!

Memology got hacked a few months ago and got his channel back after like a week. I was surprised they didn’t use it as an excuse to just nuke his channel.

>Sir, they've hit the second channel >I know (smiles and does the soyface) Oh sh-

Imagine giving "tech tips" while being so tech incompetent.

The most funny thing is Linus will probably make this topic his most profitable video in a long while when the channel is restored.

Didnt think cookie hijacking was still a thing specially for google accounts. I guess it doesn't take that much to spawn secret hidden browser session in the infected computer. Honestly I think it can happen to anybody.

Tesla Tech Tips

Linus mentioned your video on LAN show. Dang you got in fast.

linus is very good about not shying away from the times that hackers and scammers got to him in order to educate everyone. He NEVER shames anyone for getting scammed or hacked but instead raises awareness so others can protect themselves.

I can't believe YT didn't fix this cookie shit yet... I've seen numbers and numbers of creators get hacked

"Just the tip" -Linus

I'm genuinely surprised that this issue hasn't been fixed yet, or at least had some kinda stop-gap put in place, like needing 2FA to change the password if you have 2FA on, or vise-versa.

This happened to me. It finally disappeared after I wiped my hardrive. It's 100% a malware hack. Someone downloaded something.

Considering they ran ZFS servers as core infrastructure for years without scrubbing, I wouldn't be surprised if they used KZfaq as a backup repo lol

not suprised with the session hijacking, but how the hell are they changing the password and 2fa after? even if they are already "logged in" anything that needs a password or 2fa should be inaccessible unless they got those some other way. unless there was some huge oversight from google where that could be bypassed somehow, which would be absurd.

It would be funny if it ends up they got hacked by downloading something from one of those fake Google ads. Linus has a strong opinion against adblockers, and an adblock could've prevented this if that was the case. On the other end, if it really was a fake ad, then Google might finally start cracking down on them, now that they got egg on their face.

One of my favorite channels got Elon-hacked 3 weeks ago proably 30-50k subs. Their channel is still banned/deleted today. Not sure if they'll ever get it back. Google needs to do something about this ASAP!

the ironic thing is since they use that same video there is no reason youtube couldnt auto block it and immediatly recognize its a hack. also surprised the fbi hasnt taken down that site.

He dropped his security. Bound to happen.

You’d think Linus fans who are smart enough to assemble a gaming pc won’t send their cryptos to a hacker’s scam site.

Linus once pointed out in an interview about their old stuff, that those weird placeholder videos are videos that they had deleted, but when KZfaq recovered everything from the previous hack, they also recovered videos that had been deleted.for years. I don't know why they havent deleted them again. Many channels have previews and drafts of upcoming videos on their channels temporarily. Apperantly deleting those doesn't really make them go away.

It was not just $7000. They cycle addresses, not everyone gets the same one.

A music creator called VectorU (90k subs?) got hacked late last year and also got the channel back after a few days. So while I'm sure Linus does get special treatment it's not like everyone who isn't huge is completely screwed.

Remember when this happened to Nathaniel Bandy. Two of his channels were rather secure, but his third was tied to an old Hotmail account. He then said that the hacker didn't begin the takeover immediately, reasoning they wanted to get the passwords to the other channels.

What gets me is that its so easy to prevent this hack. Just require someone to log in (again) before they can livestream or private all videos.

I would love to know which person on the staff accepted the fake sponsorship that usually leads to these hacks. They give people a sponsorship email, get him to click and get temporary access to there system without having to do two factor Authentication

Memeology101, an absolutely based channel, still got his channel back after this hack happened to him even though KZfaq probably doesn't like him.

This is honestly entirely KZfaqs fault. For all channels above a certain subscriber count, maybe 100k, there should be an option to have a manual verification, done by an actual human being at KZfaq where they call the number linked to your account (that cannot be changed by you, only by KZfaq with identity verification) for every major change made to the channel, such as a video upload, delete, name change, etc. that way it is literally impossible for stuff like this to happen without the number being compromised.

Congrats on the shoutout from the WAN Show! (1:30:00)

Totally agree with what you said in the end. A separate Linux machine makes things much more secure, and Google allowing to change password without requiring the old password is downright negligent.

Still not nearly as embarrassing as that cybersecurity youtuber who fell for a phishing email.

Apparently the scammer had sent an email purporting to be a sponsorship or advertising offer to one of his employees and the pdf file in the email had contained the malware.

I Like your BSD idea for future me if my channel gets anywhere good in the future . Appreciate the video to spread awareness to this scam more, I hope the algorithm favours this to be seen by as many people as possible.

Between this and the recent "hard R" thing, Linus is having a rough month lol. Thanks for explaining how this hack works, was always curious how they just got around the 2FA so easy.

i've actually seen channels with like 200K subs hacked like this and getting their channel back

Nice one with the Thumbnail - best meme out of this I've seen so far

Happened to me last year after i lost internet and had to connect to a public network, was insane to me at the time that 2 factor didn't help at all luckily twitch helped me out after 4 weeks, alot more careful now but thanks for explaining how it happens in a bit more depth, people really should be more careful, it changes your profile to a tesla logo and plays random elon interviews, nothing more shocking then being told "hey, you're live?" when you're not

I was a victim of that cookie hack yeaaaaars ago before it became popular to do it. Ever since I've gotten a lot more careful about downloading things, especially stuff sent by less tech-savvy friends. You can be the most careful person alive but if only just one of your friends is naive, they're gonna get to you too, through them.

Anyone and everyone can get hacked. This insanely toxic mindset of "You're a tech channel, how could you possibly get hacked?!" is seriously getting tiring. Its never been a question of "if", its always been a question of "when". Its like saying "You're a fitness trainer, how could you possibly gain any kind of fat?" or "You're a mechanic, how can your own car break down?!" Get over it. Shit happens.

great content man. Really like this style of video from you

You were absolutely on the ball. His session manager was hacked because some employee downloaded a malware

I've seen this happen to over a dozen channels just in the past few months. Really turning into an epidemic now.

What I've read about this hack of KZfaq creators is that the malware is sometime distributed through a "sponsor proposal", with a infected pdf We don't know if it's the case here though...

Great video, great advice, that unfortunately probably won't get followed, and this type of thing will probably continue to keep happening.

Great advice totally going to take those tips for my future endeavors with my business partner on our upcoming channel project this summer 🌞

7000 bucks is a lot of money but honestly it’s probably way less than they would get from hacking most other channels this big. Linus’ audience being more tech savvy means more of us would immediately recognize this scam compared to the audience from, say, a vlog channel. Plus quickly getting the redirect flagged.

I was wondering why their videos were clogging up my notifications. That literally just happened this morning, so you got this video out hella quick!

You would think KZfaq/Google would’ve implemented some algorithms to detect when a high profile channel suddenly changes its password, 2fa, channel name among other things and starts live streaming. Those are all huge red flags. And should’ve automatically locked the account.

I wonder if the scammers occasionally actually do pay out the victims: not only would this convince someone that it genuinely works who then might go and try it out with WAY more money, but this also would disguise victim wallet addresses with any wallets being used to tumble the crypto.

Best thumbnail!

I love your vids and commentary, brother! Your subtle humor and focus on privacy are great.

I find that perfectly shows that even if you are an expert in the field that you are not protected from making one little mistake and loose everything.

No doubt there's gonna be an extensive breakdown of this incident on LTT coming up. It'll be interesting to find out exactly what happened (i.e., who fucked up and how).

Ah the classic "double your money" Runescape scam

Password changes should always prompt for password. Weak, Google.

I swear Linus does everything like a private company. Lowest quality, lowest costs and highest returns. Most of his employees won't get a job anywhere else.

"Log off. That cookie shit makes me nervous."

They qoute tweeted that tweet the main joking about *THIS* being their greatest tech fail.

They were using youtube as a kind of backup. Linus talked about it that it ain't ideal but its nice to have all the videos in one more place

the fact he was anti linux or mac for so long demands the question why he wasn’t hacked sooner.

Popular one is to send them scr files posing as pdf files, scr (screen saver extension) is executable in windows and by default file explorer doesn't show extensions.

I'm actually interested in statistics of victims from Linus audience who will eventually fall to this scam, kinda curious if consuming mediocre (in a good way) tech content raise situational awareness Edit: well, 7000$ is a good number

This is just sad to see, really. Because thanks to his input i was able to get my hands on the best gear for my work.

I am legitimately blown away by the fact that people fall for the double your money scam. Its the most low effort and obvious scam.

This same hack has happened to 4 channels I’ve been subscribed to. All of them recovered faster than Linus, including much smaller channels (sub 200k). It’s strange that KZfaq has not restored their channel to a previous state.

I'm still pissed that google hasn't fixed the issue where you don't need password and 2fa to change password. To be honest business/creator account should have option to password check even if you edit, add or remove videos.

Does Google not tie session tokens to IP addresses? 😕

What's actually scary is that Google can essentially decide which site is trustworthy or not in a second, blocking every normal user completely from visiting. Obviously to prevent scam like this it's not a bad thing. But they could block any website like this if they wanted to.

1:10 Linus has talked in the past about how they use KZfaq as a backup in case they use the local video files if necessary. So that is actually likely the case.

the idea of an elon musk stream just appearing on your channel one day is hilarious

I don't post videos, but if this happened to me I think I'd just quit the internet.

agreed. Google definitely needs to fix the issue of only needing the cookie. It should require the password or the 2FA or potentially a backup email.

He will monetize this hack so hard 🤣

Mental Outlaw, would you ever do a podcast? I could spend hours listening to you talking about hacks and other IT related things.

Press F to pay respects for the hard R

One way to prevent this kind of issue is to setup firewall rules to block all traffic to and from sites other than KZfaq on dedicated PCs in the office used to access KZfaq

I wonder if that was caused by the RCE that Outlook had recently and LMG uses MS Teams, so they probably use Outlook for emails as well

I'm so old I remember when it was good practice to not accept a password update without some form of authenticating the user requesting the update. And not just an existing session. Yes it's a bit annoying, but far less than getting locked out of a hijacked account.

Love him or hate him Linus has been dedicated to his work for the better part of two decades. Maybe he makes mistakes, maybe he shills for shitty sponsores, but in the end he provides quality benchmarks, covers most of the new gear and has made computer science and computer building more accessible to a broader audience. This man and his team are the MVPs and the right thing to do is to allow them to recover and not try to stir up shit from the unaired footage.

Wow man your channel is getting much much subscribes lately.

Something LTT could look into is building custom tools that upload directly to the KZfaq channel. LTT has the software engineers to build tools to access the KZfaq API for uploading and modifying channel content. Better yet, the tools could work off a intranet site so attackers would have to hack into the network to get access. There's ways around not using the KZfaq interface and risking this kind of attack.

They could've made so much more money if they made the crypto scam related to the LTT channel instead of that Dorsey and Musk stream.

Another big tech security compromised by convenience design, just like with the iPhone security incident story recently: once you've logged in there is no more protective mechanisms from completelly taking over the account and changing the ownership.

Thanks, learned some extras from your personal knowledge base!

I love that Elon is now synonymous with crypto scams.

Waiting for the Linus tech tips “How we got our KZfaq channel taken over”

How can one change the password and 2FA settings with just the session cookie? Isn't google asking for the password and/or a 2FA code, before it accepts password/2FA changes? At least when I change this setting in my account, it asks for a password and 2FA IIRC.

I saw this happen live and also got to see some unreleased shit which was cool. Hopefully they get their channel back.

eTeknix was hacked with a live scam and their channel and videos were restored, so it's good to see that "smaller" channels get taken care of

To be fair. That LMG got hacked like this isn't too surprising. They have clearly shown both on the WAN show and in numerous behind the scenes videos that both Linus himself and a fair few other people at the office are logged into the youtube accounts, mainly for uploading and responding to comments and such. To a large degree, they should segregate the channel logins away from regular workstations. Such that an attack like this becomes harder to pull off. However. KZfaq can also improve. Like having it require one to enter in the password when one wants to upload or change video information. (just like a lot of OSes asks one for the admin password when doing more advanced stuff.) The hacker would have the session cookie, but not the password, so uploading/changing content would become impossible. Same for deleting. Greatly reducing the attack vector. However, even just allowing a hacker to comment can be dangerous to be fair. And why any serious channel of decent size should segregate away their logins onto a dedicated system. Even a VM would be a step in the right direction. In regards to a wild session cookie out in the hands of hackers. This would be rather easy for Google to spot. Since the session cookie would change IP address back and forth. A red flag, especially if the new address isn't in an established location. So someone lugging their phone/laptop between office and home day to day wouldn't be asked about it more than once. But the hacker logging in from a new IP would be asked to authenticate themselves using the password before they can do anything. (however removing some of the comfort of session cookies, but honestly, session cookies are dangerous in that regard. They are a bit too easy to steal as far as maleware goes.)

15:04 RIGHT! Just what I commented earlier! There should absolutely be protections in place on ANY account so you can NOT change the password just by being logged in. That seems pretty standard to me to require the old password or an emailed reset link to change the password. The fact Google does not work like this surprises me.

Honestly, this says a lot more about Google/KZfaq security then anything. My KZfaq account is so old that it was made before Google bought them, and I was pissed when they combined them and required me to use a Google account to sign in.

C'mon we all know kenny's channel was hacked and replaced by deepfake cooking recomendation machine. Finally it's here: