As many as 23 million YouTube accounts may have been compromised as a result of a massive coordinated cyber attack carried out over the past few days. The attackers reportedly managed to bypass YouTube’s two-factor-authentication (2FA) and effectively took over victims’ accounts.

Among those affected are several prominent YouTubers — most of them involved in the auto-tuning and car review sections of the video-sharing portal.

Victims Lured To Phishing Sites

The security breach was first highlighted by a ZDNet report which claimed that malicious actors used a phishing attack to hijack target accounts. More specifically, they used ‘spear phishing,’ which is basically a type of email spoof targeting highly specific individuals or entities in an attempt to secure sensitive information such as login credentials or credit card details.

Spear phishing attacks are more often than not motivated by prospects of financial gains, which seems to be precisely the case in the context of this recent breach on Youtube.

The modus operandi used by the attackers is actually pretty simple. It would all begin with the victims receiving a malicious email with a seemingly-legitimate looking Google login page. The unsuspecting recipient would follow the link and enter their login credentials, while their data is transmitted to the attackers.

Once in possession of the victim’s Google login details, the attackers would bypass Google’s 2FA to gain control over the target YouTube channel. Then they would reassign ownership of the channel to a new party.

Meanwhile, the attackers would simultaneously alter the channel’s vanity URL and mislead the owner into thinking the channel was somehow removed from YouTube’s servers.

YouTube Denies Any Knowledge of the Attack (So Far)

At the time of writing, YouTube hasn’t yet released an official statement acknowledging or denying any large-scale coordinated attack over the weekend. That stands in stark contrast with ZDNet’s investigation into the issue, which is largely based on input from people who have been on the receiving end of the breach.

Meanwhile, Forbes claims to have contacted YouTube over the issue, only to be told that the platform didn’t witness any major security issues in the past few days.

YouTube did however warn its users and content creators to use 2FA as an added layer of security to better protect their accounts. However, the fact that the attackers reportedly managed to circumvent 2FA hints that they were probably using a reverse proxy toolkit to intercept the codes sent by the 2FA mechanism before they could reach the intended recipients.

Popular YouTubers Hit Hard

It looks like even though the attackers primarily targeted popular YouTubers, a large number of smaller YouTube channels were probably also targeted — especially if the claim of 23M accounts having come under attack is true.

Many of the high-profile targets were channels linked to the car and auto sector, such as Built (130k+ subscribers), Musafir (1.3M), Maxtchekvids (~50K), and Troy Sowers (114k+), to name a few.

The owner of the Built channel posted an update on his Instagram account, claiming to have received no solution from YouTube as of yesterday. A new version of the channel is currently online with less than 250 subscribers and two videos.

Assuming the reports of this large-scale breach are indeed accurate, do you think it reflects a systematic lapse on the part of YouTube’s security and customer support teams? Share your thoughts in the comments below.


Images courtesy of Shutterstock, Twitter.