Professional Documents
Culture Documents
Just over a month ago, one of the largest YouTube channels in the computer and IT community
was hacked and taken over. Despite the computer expertise held by the team behind the channel, an
attacker was able to take control of the account and cause havoc for a few hours. Luckily, the channel
was one of the largest with over fifteen million subscribers and they were able to restore the account
quickly while minimizing business losses. Most channels are not as well situated to handle an attack.
Large channels are not the only target for hackers looking to exploit vulnerable accounts. Any
channel with a following may be vulnerable to some of the techniques that are used to attack even the
biggest and most expert content creation teams. Producers of video channels and other content
creators need a plan to secure their account and prevent it from being compromised.
Thesis:
The solutions to quickly and easily protecting an important account are to implement better
security for passwords, email, and account access controls, because securing these can prevent an
attacker from being able to access the account and take it over.
Course of Action:
It can be challenging to figure out the many ways in which an attacker could potentially hijack an
account. Luckily, there are some important major steps that any person or organization should take to
long, have complex symbols, and have a mix of lower- and upper-case letters. Each account should have
its own password with no shared passwords between accounts. A password manager is highly
recommended to make remembering these passwords easier and to prevent them from being lost or
stolen if written down on paper or stored in a file. A password manager secures these passwords in
encrypted storage, and often will automatically fill the user/password forms using a keyboard shortcut.
While password managers are not a perfect security measure, they can prevent certain types of
common password attack and make it easier to manage a large array of complex passwords (Luevanos
et al., 2017). Privacy and security expert Shannon Morse advocates for strong passwords and a
important to use multi-factor authentication wherever available as an option, as it adds an extra layer of
security to the login process. A multi-factor authentication application will generate a one-time code
that lasts (usually) only thirty seconds, at which time a new code will be generated. This makes it even
more difficult for an attacker to fully authenticate into an account using a password attack.
Another way to secure an account is to address some of the ways that an account is used and
configured. In the specific case of a YouTube content creator, public facing email addresses for business
inquiries should not be the same email that is used to log in to the account. As much as possible, the
specific account used to login to YouTube should be reserved for that only and kept as secret as
possible. Sending emails and other tasks used with a Google account can and should be done on a
separate account. Chris Titus, a technology expert and content creator, recommends using the
Advanced Protection Program for a Google/YouTube account. This forces users to secure their account
using a hardware key, which is a specific type of multi-factor authentication that uses a physical device
that must be connected while logging in (rather than an application) (Chris Titus Tech, 2023). Google and
other large companies have incorporated such hardware keys successfully for their employees, with a
two-year research study showing that implementation improved both user satisfaction and security
outcomes (Lang et al., 2016). Hardware keys are important to keep track of and potentially have
backups of, but they can be more convenient than many other forms of signing into an account since a
code from an application is not required for each login. Hardware keys also prevent an authentication
token from being stolen from an MFA application, which is a main way that MFA is bypassed by
attackers.
Within an account for a team or organization, there can often be multiple users assigned with
varying degrees of role assignment. Users can be allowed access to specific aspects of the account.
Heath Adams, a security expert and educator, explains that a Google account allows for a brand
manager to have access to certain resources within the account. It is possible for merely one of the
users with access to an account to lead to an account being compromised, depending on what levels of
access are configured for the role that the user has (The Cyber Mentor, 2023). User access controls have
a tremendous variety in terminology and can typically be configured very differently depending upon
the application, which can make it difficult for initial setup (Mohamed et al., 2022). Content creators
with teams and shared accounts should configure their teammates and employees to only have the
Each of these steps for securing an account work alongside of each other and can massively
decrease the risk of account compromise. By controlling the ease with which the account is logged into,
the usage of the account while logged in, and which resources teammates can access within the
account, there are far fewer ways for an attacker to hijack the account using an internal vulnerability.
The main reasons that people tend to avoid setting up these protections in the first place are
also some of the main reasons that these methods are convenient. Although it can be a hassle to set up
a password manager and an authentication application or hardware key, these utilities prevent
passwords from being lost, stolen, or easily guessed. These utilities, once set up, are significantly more
convenient than trying to remember or write down unique and strong passwords for many accounts.
Another reason that people often avoid setting up these protections in the first place is because
of lack of knowledge and expertise in the subject. Though it is understandable for average content
creators and account holders to be untrained in securing accounts, team members who have
administrative responsibility should be aware of these methods for securing accounts. Those who have a
specific job role around managing YouTube brands or channels should not be left behind by their peers
or adversaries, and they have a responsibility to their coworkers and customers to be up to date about
best practices.
Conclusion:
Attackers have recently taken over the accounts of multiple high-profile YouTube content
creators, leading to loss of service and content in some cases. There are also innumerable examples of
smaller channels that are targeted by similar attacks. These channels can protect their accounts from
being accessed by unauthorized individuals by securing a combination of their password, their email,
and their access control rules. The steps to take for securing an account are relatively easy (compared to
many tasks in computing or security), and after the upfront setup these steps require little maintenance
or time investiture.
The password can be protected by a password manager, which will auto-generate and store
secure passwords while also applying them to login prompts with a keyboard shortcut. A multi-factor
authentication application or hardware key can apply a second level of security to the login, using a
mobile device or a key which are usually held on the person. The account used to access high-risk assets
such as a monetized YouTube channel should not be the same account used to send and receive emails.
Account permissions can determine what types of access that other users have within the shared
account according to their specific role. Combining these together can prevent a careless account-owner
or employee from compromising the whole account through improper usage or configuration. In theory,
even if a password is stolen or brute-forced, these additional steps will still prevent unauthorized access
Any group or individual with a publicly facing account should follow these practices, even if they
are not a YouTube channel. These same steps will also help a person protect accounts for social media,
Shannon Morse. (2023, May 3). How Do YouTubers Get Hacked? 3 Tips to Secure Your Account [Video].
YouTube. https://www.youtube.com/watch?v=ItghwG3a4KM
Chris Titus Tech. (2023, March 23). LTT Hacked [Video]. YouTube. https://www.youtube.com
/watch?v=b94uBT9CStU
The Cyber Mentor. (2023, March 24). Linus Tech Tips Hack Explained [Video]. YouTube.
https://www.youtube.com/watch?v=WjpIyu7IH74
Lang, J., Czeskis, A., Balfanz, D., & Schilder, M. (2016). Security Keys: Practical Cryptographic Second
Factors for the Modern Web. In Lecture Notes in Computer Science (pp. 422–440). Springer
Mohamed, A. M., Auer, D., Hofer, D., & Küng, J. (2022). A systematic literature review for authorization
and access control: definitions, strategies and models. International Journal of Web Information
Luevanos, C., Elizarraras, J. V., Hirschi, K., & Yeh, J. (2017). Analysis on the Security and Use of Password
Managers. https://doi.org/10.1109/pdcat.2017.00013