YouTube channel got hacked: how, timeline, and recovery.
HTML-код
- Опубликовано: 28 сен 2024
- How I accidentally compromised my computer as a result of a social engineering attach, resulting in a session hijack attack on my main RUclips channel, timing of it, analysis, and recovery.
My initial very short video about the hack:
• My main channel got ha...
I'm so glad you got your account back! That was actually pretty quick, too.
It annoys me so much that every time I travel, I have to jump through a bunch of hoops to log into my RUclips account, including verifications on my phone, and email, and sometimes I even have to use a VPN myself just to get into my own account reasonable amount of time. Meanwhile, creators routinely get hacked by some dude out of Russia and Google's system seems to think it's fine. 🙄
Also, I just checked my email, and I have that exact same email about a sponsorship with Black Magic. They really are targeting everyone. Creators have to be constantly vigilant.
Thank you SO much for sharing this experience, so that other creators can learn from this!
I guess the blackmagick thing is a good bait for creators!
It would literally be the easiest thing to check for:
- large account
- password change protocol
- crypto video uploads
- old video removal / hidden.
Happens like that every time. Google, owners and developers of most advanced AI around: *crickets*
Channel name, profile picture AND PASSWORD change all at once shouldn't even be allowed, let alone from a far different IP. Not even a two-step verification prompt? It's like they're not even trying to address the glaring issue.
Linus Tech Tips got taken for awhile, don't feel bad.
@@matthiaswandel My thought was: WHAT THE F is he doing, vacation, more babies, holidays (which I absolutely support ... sorry, like that was my business, just joking!)??? Because I was irritated that all the Playlists went down the drain.
I'm glad you are back, hopefully with not that big of a chaos! Humans fall for scammers. Well ... do not use Microsoft:P (That's a scammer, too!)
So, now do not fall victim to snake-oil. Like all of those wonderful and "honest" tips given here in the comments, hehehe:)
While I personally would like to see a proprietary BM-camera SSD mount (OUT OF WOOD!), I am not that hyped for 8k wood pr0n.
Ich bin mit dem C64 aufgewachsen. So I can live with 320 × 200 Pixels:P
I wish you a smooth data recovery journey, Matthias!:)
Edit: Documenting the Nuke with MICROSOFT Excel shows that you have balls! (or your value as a hobby-comedian, hehehe). And please do not answer this: By the beard of my Granny, what email-client ALLOWS you to RUN executable files (you said .scr, I remember)??? Hehehehe, please forgive me for the schadenfreude, but also the amazement. Welcome Back, new Black Magic customer;)
I work as a cyber security engineer, and one of my pet peeves with Windows is that they have chosen to hide file extensions by default, which makes this exact type of attack much more likely to succeed. Had file extensions been visible on the file name, it's much more likely that you wouldn't have launched that file. Nothing is foolproof, of course, because we're all humans, and we all make mistakes. (This is one of the first settings I change when I start working with files on any system I've not worked on before.)
So true! This is one of the very first parameters that I change on a new computer, mine or otherwise. I don’t get why this is an option to begin with, the mere convenience is absolutely not worth the risk.
And you can repeat this complaint for email clients that just show the sender name and not the email, and especially the the envelope sender.
First thing I do when given a new windoze machine is switch that back on, I abhor not seeing the extensions....
this is the same thing i thought when he mentioned that the file type was a screen saver..
when i switched to a new windows, this stuff annoyed me so i changed it back.. and i do this for every computer i use, even if it is not mine, people either not notice or thank me for it..
I can’t stand not having extensions visible.
Shining this much light on this type of scam is immensely useful. Sorry it happened, and thanks for the detailed info.
"Microsoft Defender didn't find anything"
I feel your pain!
Microsoft Defender is actually well above average, as AV software goes. This was apparently a custom executable, so no AV software would have flagged it as a known virus.
AV software isn't a replacement for not running random executables from sources you didn't even bother to check, just like having a functional immune system doesn't mean you should lick random objects left on your doorstep.
20MB file is probably why
antivirus works on patterns and signatures. if this is new or custom malware that doesn't use common patterns, no scanner will find it until their definitions are updated
I don't think this is a defender issue. They probably encrypted the malware itself and using a custom bootstraps
@@droopy_eyes To clarify, this *type* of scam has been around for a long time. It's unlikely that the executable is identical, and code obfuscation is quite effective. Ideally certain AV software should be able to recognize some of the patterns of obfuscated code, but using VirusTotal on a known-bad file is a great way to see how many AV's *won't* catch something. Not all malicious code is a cryptolocker, it's a bit of a farce that many people think viruses' goal is to slow down their computer. Often the worst pieces of malware are the ones that seem to do nothing, or exactly what they claim to do.
As soon as I saw your update that you had control of the channel again, I went in and began rewatching all of your videos, hopefully triggering youtube to recommend them to others. Glad you're back in control!
I knew someone i followed was hacked but I couldn’t figure out who. I’m glad you got it back so quickly.
Yeah I saw this Ripple thing in my subs and was like… who is this and why did I sub to it?
If you clicked on the channel name, and looked at the URL, it still showed the channel URL as Matthias Wandel. So it was easy to figure out if you knew where to look.
@@bradley3549 Everything's easy to figure out if you know where to look.
The “Session Cookie Attack” was easily fixed by RUclips. How? Even with the session enabled, if you want to change your RUclips account or delete all videos, you should need MORE than one “active session”. For example, “2-factor authentication” when deleting videos, changing account name, etc.
they added 2fa using the session. I think carrying out this attack and getting around protections is far from straightforward.
looks like youtube is unfortunately not interested in fixing this mess...
It already works like that, changing security settings (even if you're already logged in) requires authentication. But that only happens if you have 2FA enabled of course. It's been like that for a long time I believe.
Changing a password or adding 2fa should always require another password entry and not rely on a session key. Since they had your gmail session key a 2fa with your email would not have helped.
@@matthiaswandel Meanwhile I have two google accounts that are impossible to get into because google required two factor on them (security questions) and of course that was insane. I made them all a bunch of random numbers I have saved on a pen drive. BUT google won't let them ever log in because two factor is required and security questions is a disabled two factor method. Pure geniuses over there.
Some bits to consider: There's a non-zero risk involved with your other PCs now when you used your USB drive between them. Another potential vector is any other devices that were on your network or that you had credentials for saved on the original PC or if anything else on the network is unsecured (I'm thinking raspberry pis or any devices which had remote access or shared folders or the like).
Yeah. I was going to say something about the use of a USB drive to move the video file from the hacked computer to another computer. The hackers could have inserted another malware that could infect the USB and make it a vector for infecting the other computer.
When this happened to Linus Tech Tips, they took no chances and physically destroyed the hard drive and motherboard (BIOS) to make absolutely sure no one could ever be affected by any possible lingering threat on that PC.
@@JanTuts also what I was thinking, with Matthias' frugal nature I doubt he would want to destroy the hard drive and bios if they still work, but I don't know enough about how much information from the original hack could still be on the hardware even through a clean install to know if it would be necessary or not. For sure it would be critical to also change microsoft credentials and add 2FA if possible just to be safe
@@JanTuts Well, they have the resources to be able to throw away computers any time they like. Also, it was content that they could use to make even more money. If I had a job where I could make money from destroying computers, I wouldn't hesitate either.
In reality, the likelihood of the hardware itself being compromised is rather low, and the risk is low enough for the average person that it isn't worth the expense of destroying hardware.
He could perhaps make a backup image of the disk and then let an antivirus program scan the image.
Good to hear that you are back up and running again!
I'm sorry to hear that you were hacked, but pleased that you were able to get back in relatively quickly and mitigate any future attacks. Thank you also for sharing this, which helps to educate people and fight against these hackers/scammers.
Been watching you for some 15+ years. Good job man with the timeline. Sorry this happened to you. Don't click links!
Hi Matthias, before I sent you an email about this ordeal, I actually reported your channel to youtube with a note about someone hijacking your account and leveraging your subscriber base to push this crypto crap. And advised them to reach out to the original owner. Hope it helped in locking the channel and the aftermath. Good to know things are back to normal. Keep it up.
As someone who works in IT, session hijacking is the number one way to access someone's session and bypass 2FA, its unfortunately very simple to do. i stopped opening my webmail's on my regular PC as while back, but instead I open a Windows Sandbox session and open my webmail there. This allows me to control what cookies are being retained by the session as well as being able to close the window if anything nefarious was to be downloaded and ran. The only credentials that would be compromised, were the ones i opened in that Sandbox, meaning my attack surface is a darn sight smaller and I would only have to reset those passwords and tokens, and not all my other accounts. Nor would i have think about wiping and reloading my PC, in fear that something might have infected it. Windows Sandbox upon closing would blow away anything that got installed. It's free and baked into Windows 10 onwards.
Important clarification, session hijacking doesn't bypass 2FA. Session hijacking allows the hack to act as if they are the authenticated user until the session expires. During that time they have the same access you do when you login to your account. When they try to change your password, if you had previously enabled 2FA for this action AND google/youtube always apply the 2FA check, they would not be able to bypass 2FA and the account owner will get a confirmation sms which they would obviously reject. The issue is even if you enable 2FA, google for some ridiculous reason don't apply it 100% of the time when changing password/email. That is the issue.
@@Ash_18037 the lack of reliable 2FA is mental. But the problem is why given your cookies someone can change your password. If hackers do account recovery then phone or recovery email should be required which I won't call 2FA, I call it reasonable 2015+ reset password mechanism.
@@Ash_18037 Can they see the passwords saved in Chrome browser with session hijacking? Normally you have to enter your Windows session password in order to see or copy them.
@@Ash_18037 thank you, yes you are correct. Poorly worded on my behalf. If websites made you re-authenticate with 2FA to make account changes, a lot of these attacks would be thwarted.
@@Ash_18037 : I am out of my depth here, but if they hijack an open session, would they not be able to change the contact number use for 2FA, or would attempting this trigger a 2FA check to the original number first?
If I am hearing you right, some of the lessons here are:
1- Be VERY careful what you click and download.
2- Use 2-factor authentication for your Google account
3- A Twitter account may be helpful to contact Google if you are hacked
4- Record your channel ID somewhere for future reference
5- A second established RUclips account is helpful, if you have one
What else would you recommend to help others avoid a similar situation, or to get themselves out of one?
2fa wouldn't help in this case unfortunately. you just have to be very careful with what you are opening, in general you should never open attachments from unknown senders.
and 4,5,6,7,8 and 9 - Be VERY careful what you click and download.
@@riba2233 Unless I am misunderstanding, he seems to say 2FA might have at least helped: 9:44 The idea is (According to a comment below)" They wouldn't be able to change the password with MFA. So once figured out whats happening, I could have changed the password, which would have killed all the other sessions."
This is more scary proof that scams can happen to anyone. You don't get to feel that your tech savviness will prevent you from being a victim. I am definitely above average on my understanding of computers, but am no where near as knowledgeable as Matias. So glad to hear you got back up so quickly!
I hope this shows to people who think that they are too smart/savvy to be scammed, that they are also vulnerable.
Matthias is a tech wizard with years of experience, and the scammers still managed to get him.
No, it doesn't. Just read the comments from all the people who "know better"
There's different levels. People less familiar with computers generally might be tricked more easily. But modern OSes are also extremely complicated and humans aren't very good at being meticulous and consistent. But in this case it's just egregious that Windows even still supports running screensavers like this.
@@Furiends I agree, Windows is far from ideal, but my main point is that everyone can be tired, or in a rush, or blind-sighted by a goal, and miss some tell-tale sign. And social engineers are getting smarter, and their schemes become more elaborate.
Everyone is at risk, no matter how smart or savvy. And everyone should assume that everything is a scam by default.
I'm so glad you were able to recover your channel in such a short time, I was not one of those lucky people.
It could have been me , again... I switched to Resolve 2 months ago and I LOVE it I'm still using the free version I'm going to buy the paid version only for small improvements, so again I would have been compromise in my brand new PC.... I'm so glad it ended like this
Confused how it's 2024 and session cookies don't include at least the general information about the system they are created on and the location data to limit their use to the same system and location. A check box for 'only this IP' would be great too. Makes it a hassle on portable devices having to log in all the time, but having the option would be nice. At the very least, a session token should never be enough to change passwords or recovery emails... there's no excuse to not have to enter your credentials before making changes like that.
I think they played an elaborate game of creating lots of sessions and such to get around any algorithm that would detect this.
@@matthiaswandel Yeah. I get how they do it, I just don't see why a huge platform like youtube doesn't have safeguards in place to prevent session hijacks. For someone with no budget, just playing with making websites for the learning experience, it is pretty easy to make sure a session is tied to a an IP, or a general location, and/or a system with the basic specs. For a company with money, or knowledgeable people, you can tie it to exact specs of a single device with various scrips.
I'm just confused that with as often as the session hijack seems to happen, RUclips hasn't at the least, added a check box to allow people that want it to require a full log in or two-factor authentication before major channel settings or methods of access to the account can be changed.
@@johngaltline9933 Probably so you can take the computer with you on travels, or get a new IP from the ISP without getting logged out?
In my experience, you do not get logged out from google unless you clear cookies or delete the session from the google page.
Moving a laptop between networks clearly do not log you out. (with 2 factor e.t.c.)
Chrome may have some creative solutions there, but I do not know for sure.
@@johngaltline9933 Tying sessions to IP is not feasible in the modern world full of VPNs, laptops, mobile phones and WiFi hotspots. And if the attacker manages to execute something on the target computer they already have full access to all the hardware details which makes them trivial to spoof. 2FA is pretty much the only thing that works when the user's hardware is compromised.
In the realm of IPv4, not every device has a fixed IP, so, every time a device gets a new IP, the cookies are rendered invalid. Bad side effects. Some devices have GPS, some don't. Requiring geo location data during session cookies creation is a non-starter. How about MAC address of the device? That might work in some cases; in others, it may not. Reason being that some network device/software/driver actually swaps the real one with a dynamically generated one. And the generated one can change at anytime. Same issues as IP.
Glad to see the channel is back again, hopefully everything is fully resolved for you moving forward!
Sad to hear this has happened. It always troubles me that Microsoft Windows default behaviour is to hide file extensions, it would be a massive help in these times when you have no idea what type of file you're opening.
It pretty simply to change that behavior by going into file explorer control panel. Most people who are smart enough to even know what file extensions are/do already have done that. And realistically, most crims are able to use a vuln/exploit on most file extensions so it wouldn't matter that much. These crims were pretty basic, just smart enough to use a spell checker and well written bait.
I think the mention of $6K got Matthias' interest enough that he totally missed it was the old .screensaver exploit known about for 2 decades....
I think that sharing these events with the level of detail that you have done is what helps the most to avoid in the future and be better prepared... It is a shame that the services and companies are not very efficient in helping the user. Excellent Mathias and thanks for sharing.
Glad you got it back so quickly. I'm going to take some notes here for my own RUclips channel.
Dear Matt,
I am so sorry to hear this happened to you! I remember when John Heisz got hacked as well and my heart went out to him as well. I'm happy to hear things are resolved. Hats off to your logical way of thinking in regard to protecting the highest asset first and working your way down! Smart Thinking! ! ! ! !
Best Wishes and Take Care,
Tom
Glad you’re back & thanks for sharing this experience!
Thanks for documenting your experience, Matthias. This is a good warning for other youtubers.
Glad to see you got your channel back...again... ☠ Just wanted to say don't forget to change your handle back too, it's still the bitcoin one they changed it to as of writing this. Hopefully this never happens again, can't imagine how horrible it must feel to happen once, never mind twice 😨
Is there any good reason why they want you to be logged in to report being hacked? Seems like the most ludicrous and bizarre requirement, it just baffles me. It's the equivalent of reporting your car stolen and the police asking you to drive it down to the station so they can take a photo of it.
One of the only RUclipsrs that could make the timeline of getting hacked interesting.
Jesus, what a stressful 6 hours that must have been! I'm so glad you were able to get things up and running again, and I'm sorry these bastards found a way through, it's not like you aren't an intelligent person. It's scary that they always seem to find a way to slip the net.
Best of luck for 2024!
I'm happy to hear that you got the account back and up and running. It was "good" of them to set the videos to private instead of deleting them all.
Still embarrassing that the fastest way to Google support is by going though friggin Twitter. You'd think they would have improved this process after some big channels (like LinusTechTips) went though the exact same adventure some time ago.
I do wonder if they are as as fast and responsive for people with tiny channels.
Oh crap! That must have been a whirlwind of emotions that night! Glad you're back Matthias!
Session hijacking bypasses MFA, since the session cookie they're stealing is from an already authenticated session.
Meaning they don't have to log in, and MFA wouldn't have stopped this.
thats what hapened to linus tech tips.
But .. They wouldn't be able to change the password with MFA. So once figured out whats happening, I could have changed the password, which would have killed all the other sessions.
@@matthiaswandelsince they where already logged in on the hijacked session, they can simply turn of 2FA, and then change the password
@@matthiaswandel Not with the current solution you couldn't.
Your first sign of a problem would be the changed email, which doesn't currently require MFA.
The new email is their second factor, so you end up with the same problem.
We are back to requiring MFA on all account changes. Which should be a thing on EVERY account with more than like 10k subs.[1]
Hell, the session keys should be based on geographic locations anyway.
Restricting the keys to a machine hash could cause a ton of problems. But restricting a session established from a specific local ISP from suddenly reconnecting from another continent should be a no-brainer and trivial to implement, even if it would still allow attackers to bypass it with local proxies. At least it would provide another speed bump.
[1] Remember that these accounts are being used to run scams. It isn't JUST about the account holder getting screwed when they lose access to their channel. This is also a public safety issue. Monetization doesn't matter. Audience exposure does. Channels over a certain threshold are a public threat, since they are the targets for scam use.
@@earld1403 in theory, when you log out, your session token should be deemed invalid. Which should in turn make it so your session can't be hijacked.
But this also depends on how well the application was coded. Some applications might not invalidate session tokens when a logout occurs, this would be a security vulnerability.
@@earld1403 You can simply start a new private/incognito window and close it when done. Nothing is saved unless you download something.
first of all, I'm glad you were able to get your channel back. TBH, the email was very convincing & even the files. I'm shocked that Windows defender could detect it. RAR file is so to hide from Windows Defender. Wow, they even added a security key! This video is very useful to learn what not to do - thanks for posting it. I think it's important to be able to contact RUclips asap as you've mentioned via Twitter (X) perhaps as all other means are locked out. And disconnect internet , reset windows with clearing the All the drives (formatting).
I'll never understand why Windows users choose to hide file extensions. That's one of the first things I change after a fresh Windows install.
Me too, been doing that for nearly three decades now.
I'm so glad things worked out. Me and my WW buddies were sharing and talking about your video on the Domini Design tool box hinge right before your channel got hit. We were gutted to think your breakdown was lost haha
2:15 Also, the unpacked contents of a rar file will not be marked as potentially unsafe like contents of zip files. So you don’t get an additional warning when starting the malicious executable.
@@droopy_eyes - RAR is no more "ancient" than plain ZIP, which is still by far the most common format. 7Z and RAR4 are indeed better (especially after you tweak a couple of compression parameters), but with internet speeds having increased so much, most people don't care about size, so they stick to the older ZIP format for compatibility.
What really surprised me was that he didn't have file extensions visible. That would have made it immediately obvious it was in a dodgy file format (SCR).
@@droopy_eyes You don't know the corporate world. It's a blood sport to make as much official communication as possible look indistinguishable from scams.
There is nothing wrong with winrar. It's just a more efficient compressor than zip. Hackers use it because it's better than zip. Just Like hackers use computers cause they are better than calculators.
Love how you are so candid and detailed in showing all the details, really interesting (and terrible!). Sorry you had to go through this man. That's the one thing that is so wrong with big tech companies, it is almost impossible to get a human to help you. If this happened to a small creator, even with it being so obvious, it almost always means they are completely out of luck (happened to my mother, account is just considered lost now).
Great to see you back Matthias! Is "woodgears" a permanent channel name to distuingish from before the attack if you like, or is it just a temporary measure? (I like both!)
My mother always told me to avoid black magic.
Hehehe
Having fans and friends in the industry really helps. I work for one of the other giant evil companies and have seen issues like this get resolved quite quickly because everyone knows someone else at one of the other companies.
Yes, thankfully my channel has nerd appeal. Would have been different if I was making beauty tip videos.
You would think that Google should recognize a session being reused from a different location. Logging out that sesssion would be enough. I'm probably missing something.
Good to see you're up and running (but the channel name is now simply woodgears)
What you're "missing" is that Google don't really care. They could certainly fix it if they wanted to.
givem all the stuff the hackers did, I'm prettu sure much of it was to fool google's algorithms into complacency. Like I explained.
@@matthiaswandel yes sorry you did, but those looked like new logons from different locations to mess with the AI systems, not the original session.
Again glad to have you back
When I was phised on Steam they used a VPN to get a UK login, which I stupidly accepted on Steam Guard's 2FA because it didn't say "RUSSIA".
Welp, it seems you've got it under control again! Good work, but I won't say anything regarding the future this time, feel like I jinxed it a little with my last comment 😅
Rather than reinstalling Windows on the infected computer, I would very strongly recommend replacing the hard drive before installing Windows. There are actually some forms of malware and/or viruses that can actually survive a reformat of your hard drive. If you really want to go to an extreme level of self protection, replace the computer, and have fun personally destroying every component in the effected computer. I'm glad that you were able to recover your channel relatively quickly, compared to others who have been in your shoes.
Thank you for taking the time to share this with us. That helps people to be on the lookout for this.
Can't wait for the MK II video on the 02-24 hackening
Hi Mattias, sorry to hear (see) about the issues you have had. I am an IT guy local to you. You have it under control, but if you need a hand, give me a heads up and i will tey to assist. Good video exposing this to others. Maybe follow up and let other youtubers know which account numbers they need to write down in order to recover easier? Good luck :)
Well done, Matthias - you look pretty calm about it all. I was so frazzled when it happened to us!
You made history! This is the first historical incident of a Google employee actually speaking to a customer.
So glad you got it taken care of! That’s scary!
I knew you were going to say 2FA wasn't enabled. Please everyone take that as a sign to enable 2FA for every account you have that supports it.
Good on you for sharing the details of everything.
Glad you got the channel back. I had to re-subscribe because I unsubed when I didn't know who ridge was. When I saw the video on your other channel I reported it to YT and was surprised when i actually got an email back saying the offending content had been removed...etc.
Glad you got it back, and hopefully there isn't too much residual damage. The fact that even with this video you have an Excel sheet of a bunch of data is hilarious!
One note, it looks like the vanity name of the channel is still set to 'woodgears', so you might need to set that back.
While I don't agree with a lot of the people flaming Google for this, social engineering will always be a problem, they really do need to improve some of the processes around these issues. For one, after the same attack hit LTT, Google claimed they were beefing up the security surrounding session keys, but clearly that isn't the case.
Additionally, the fact that it is basically impossible to get in touch with anyone at Google without having a preexisting YT rep is a problem. I've had my own security issues with Google, and have no way to get any information about them because I can't contact anyone. Everything is just an automated response with redundant and useless information.
Also, the fact that Google disabled my physical security key and replaced it with a prompt on any device logged into the YT app is absurd. That's far better than no 2FA, and almost certainly better than SMS, but no you don't remove my security method.
The 32minutes walk was key in this story. We are all very happy to have you back!
If there’s a faster easier way, Matthias will master it, including getting his account back.
And he'll do it with some scrap wood from the roadside....
Wow! Quite the ordeal! Thank you for producing this video, so many people I think make the mistake of opening attachments. But this really opens one's eyes to the consequences. As to the infected PC, I suppose a three-time-overwrite of the HD would sanitize it before re-installing Windows so you'll have a useable machine again...
Whew, that is a detailed saga. Thanks for making this.
Wow. That must have been crazy. Glad you went into so much detail. I’m not a RUclipsr but just the whole process was eye opening
Man, Matthias, thanks for sharing all of this... sorry for the headache, but it's very useful, and very kind of you to share all the details.
So... my guess was right, this was a session cookie hijack attack. Seemed like it because I think lots of RUclips account hacks goes through this. I also heard this follow through to go into connected devices and disable it all, because it's what connects your account service side to your PCs via the session cookies. Kinda complicated to understand.
I have half guesses and half questions here... not a specialist, I just read a lot on these things. Not for Matthias specifically, but perhaps people in the know in the comments.
So... afaik, Gmail itself usually does not get hijacked because seems it's a bit more hardened against this kind of attack, not sure if this is true or not. Good thing Matthias setup a separate account for RUclips though, can't imagine the extra headache that it would've been if the main Gmail account went with it. Is that right though? Gmail seems to keep a session in a similar way to RUclips, but perhaps there's something more under there... some verification that Gmail does that RUclips does not.
This is a bit why all these connected accounts makes me nervous... the possibility of being hacked in one service and getting all the rest compromised with it.
Other half guess half question - I think, and I may be wrong, that these session hijack attacks are very specific. It's like, a ready made attack that goes specifically after an RUclips account, and perhaps a few more things, but it doesn't like let the hacker have free roam inside the PC. Could be wrong here, not sure. It's more because of a speed and practical standpoint - the malware goes straight after whatever required files it needs to impersonate the RUclips session.
Anyways, glad that you solved it relatively fast Matthias.
So glad you got it all sorted back out! Sorry for all ur trouble, long term subscriber that still enjoys your videos!!!
So glad you got your account back. Thank you for giving such a detailed breakdown of how recovery works.
Glad you're back in control.
From the comments its seems almost all of my favorite youtubers follow Matthias...nice.
Always check your file types😊
I wonder if this is why show file extensions is enabled by default in Windows Server and 10 Pro for business
Always check the sender address.
I also always log out of the sites so that there is no active sessions running in my browsers.
Oh thank goodness you are back again. I was literally planning on watching a planner video but then i realised "oh wait he's hacked again... AUUUUUGH"
I had a coworker before who would transfer his emails in to a virtual machine, disconnect the VM from the network, then check any emails there, instead of ever having them on his real machine or connected to the internet. If there was ever an issue, he could just nuke the VM and start again from a clean snapshot. I am more and more convinced that he was a genius who was ahead of the times!
Wow. Sorry you had to go thru this but appreciate that you shared your experience with us all to hopefully prevent us from experiencing the same!
What a nightmare, you did what you could as soon a you realized it. From there its a race against time and the hacker. To change all your passwords on everything and make longer passwords. The positive thing is, now you hopefully have learned from this experience. In 2024 many many people will learn the hard way.
Rarely do we get this kind of time breakdown for a compromise, very well-detailed of you! Hope that long walk helped calm your nerves. Wiping the affected computer's SSD should be enough, but with today's BIOS-infecting malware you can't really ever be too sure.
So sry to hear about this. Glad you're back up and running.
Windows 10 Pro has a sandbox. Made it worth the extra cost to me.
Thank you for sharing your experience. It could have been a lot worse. For what it's worth, it might be better to delete all suspicious files. You don't know what that executable is doing, and even if your computer isn't connected to the internet when you run the infected file, it might have processes running that are waiting for a network connection. Better not to take any chances.
Matthias, I'm glad that you restored the channel, but I don’t understand, don't you have confirmation by phone when logging into your account from another IP?
see my follow up video on how that was bypassed
You are such a smart guy. I know some will say “but he opened a blah blah blah”. I am continually impressed how you go so deep into how things actually run/work/operate and the amount you understand is mind blowing. I as would most normal brained people would’ve been screwed and never recovered their loss the way you have. You are an amazing guy and I love your videos. Even though John’s clamps are better 😂
Glad you got it back!!
Your channel was the first one I ever subscribed to, but now I found myself unsubbed. I redid it, but I wonder how many other people got lost. I was watching another video and saw the link to yours, checked and am still subscribed to matthas random stuff. Glad you're back though
So this is why Ripple suddenly appeared in my feed. Glad you got it back Mathias
I'm sorry that happened to you! And I'm glad you were able to recover your account!
2FA wouldn't have prevented the access to the account, since the stolen session was already authenticated. I don't think RUclips requires additional auth for renaming the channel or (un)publishing videos. Maybe it would've prevented the lock-out, if Google requires auth for adding/removing other authentication methods.
Ironically, what would've prevented everything is to actually use Davinci Resolve... on Linux. Just saying ;)
At least until the scammers start sending .desktop files in tarballs.
Dang, Matthias! What a mess and a resulting miserable feeling. So glad you recovered in relatively short order.
Pew, glad that worked out rather quick for you and you have all video back! IO was very nervous, seeing the video on the second channel! Also; Thank you very much for creating this time table! Really puts into perspective just how fast these things can go (wrong).
I wonder what the actual goal of these miserable hackers is. Big Channels get flagged for hacked pretty much immediately, so the hackers don't actually have any gain for their efford spend. And small channels may take longer to recover, but - they are small. Less views, less engagement. So what gives?
Low paid Russians trying to get western currecny via crypto scams to pay for their stupid war. Probably didn't make that much $ off this one, but still.
Thank you for making this video. It's hard to tell others about your mistakes, but it's extremely valuable.
This happened to another channel i watch and in their update video, they commented on how many subscribers they lost when they were hacked. I don't think they realized that the hackers change the channel name and start live streaming crap and most people probably don't realize it's a hacked channel and think they must have accidentally subscribed to it. You could still tell yours was yours though because they didn't change your picture, so there was a ripple live stream channel with a picture of your face as it's icon
lost 5k subs on this. And sadly, those would be active subs. Most of the subs are dormant and don't look at anything, and I probably lost none of those.
I've not dug through the comments and I'm sure someone has covered this, but an unsolicited email containing an SCR file is most definitely a virus/malware/etc... This goes for com files, exe files, vbs files, even excel files with macros enabled as well and probably a few others that I'm missing.
The reason it was winrar'd was probably because the email server would have filtered that attachment out if it was just attached as an SCR.
SCR files were generally screensaver programs back in the day. They are executable. Clicking on one of these can make for a really bad day if the intent behind it is malicious.
I'm glad you were able to recover from this.
was not an unsolicited. watch the video please
@@matthiaswandelAhhh, ya got me! =) I see now you covered those points shortly after I paused the video to write the comment. My apologies.
I'm still glad you got your account back though.
I'm glad its back man! This sort of thing can happen to anyone (regardless what some of the "experts" in this comment section are saying), and all that matters is you're safe and recovered from it. Cheers!
What's shocking to me is that Microsoft still allows windows to run these old .scr files with no sandboxing whatsoever.
not intentionally.
7 zip can unpack rar, not sure if it can password protect or remove it.
I'd recommend a PC for managing your YT channel only, for anything else use another PC, and that one should not be logged into yt/google. Don't rely on yourself but put up a physical barrier so it can never happen again.
You've already missed so many red flags, tiredness, kids demanding attention, or just being too busy or wanting to finish real quick are all incompatible with securely using your computer.
Two factor authentication doesn't help much with this attack, they've got the session id. They may not be able to lock you out but they could still put up videos for their to benefit. It's best to use multiple layers of protection and MFA is just one of them.
Wow, good to have you back. After watching your video the name black magic was sound familiar... 😮 so I searched my email and found similar email which I ignored in last july 2023... 😶
Make sure you buy a hard key/titan key. It's almost bullet proof. So much so that when I forget it when I travel even I can't get into my account.
Matthias, Very sorry this happened to you. Luckily it seems yo took all the right steps and immediatly to stop their hacking and get real google people involved helping you. Perhaps once all the dust settles dawn you could talk to Google execs and come up with a way for us who are not as good as you are to heop us prevent this happening! Again, glad you are ok!
Going for a walk. Love it. Well done for staying calm under fire, great to see the channel back. Glad this video popped up so I could resubscribe.
Im glad i just found out it was your channel... because i got the notification about a livestream from a channel i didn't know, clicked on it, and thought, when did i ever subscribe to such crap? I looked up the videos and there where none and so i unsubscribed and closed the window...
Do you have any numbers on how many subs you lost that night?
Thanks for making this vid and showing how it happened, it's extremely useful information. Also very glad you were able to recover your account.
Thanks for sharing the timeline. BTW, even with 2FA or MFA the same attack could happen. The 2nd factor auth happens at the login stage. Once successful the session host or security token is logged in browser cached. If those files are hijacked and injected into another browser, like they did in this case, then the service provider like google will see that the session is still valid and thus still be allowed to connect without a re-prompt for MFA. You can force always prompting for MFA but i'm not sure google always you to do that and even still that's not usually the default of how that works. Don't get me wrong. MFA is a must have but it's not the end all be all. You still have to be wise and aware of how these attacks work and clearly you are but we can always make mistakes. So glad you got back in! Great video as always!
I imagine it would prevent them from changing the password, though.
@@LowJSamuel Yes. Great point! It may have prevented that. Definitely recommend MFA but we still have to be careful.
Holy smokes... glad it was restored so quickly. Lesson learned I guess and thanks for the rundown!
I'm really glad to hear this got resolved so quickly. What a mess.
Great you're back up and running, it's an easy mistake to make! And well done being so honest about your mistake, it takes a great strength of character to be able to do that.
I'm glad you got your channel back!
Show Extension, it helps prevent accidentally opening executables
Also, 7-zip should support rar files
And also, emails should be done on a separate computer (or virtualized computer) with no other sessions
glad you got it back.
That's why I always have file extensions visible in explorer.
First thing I look at before I click on anything, is the type of file it is. Always.
If it's supposed to be a document, and I don't recognize the file extension (or more often, I recognize it as a non document), I just don't click it.
Thank You for the great postmortem and clear explanation of your learnings. I hope everyone who see this enable 2-factor on all accounts!
Glad to see you recovered. I guess this kind of video about insights to how and how fast things happen is beneficial for others that might get scammed. Time to get 2-factor authentication on my less used accounts as well. Let's spread some awarenes!