44 comments

[ 3.6 ms ] story [ 95.3 ms ] thread
I hope they kept a copy of all their videos somewhere. Maybe on that big media server.
They have everything, even on offsite servers, but losing the YT channel itself would be catastrophic
It was a goof about how they have a whole video series on building an enormous petabyte media server. LTT is too big for YouTube to not work with them to fix it, and maybe this will nudge them to develop Floatplane into something more than a backup.
Yes, LTT is popular enough to have contacts with YouTube who will help them recover. It's still scary to see a huge channel briefly blink out of existence, and people running less well-connected channels are probably looking at this situation with some anxiety.
The sad part is that there's going to be a few people who got their YT view spammed with the fake Tesla and they unsubscribed. Even with YT reverting the videos/ratings/etc. I'd be really surprised if they reverted the unsubscribes.
These videos appear to be just unlisted, not removed.
I understood that reference.
I've seen some videos on building a video SAN or NAS and I think they mention backups etc.
LTT isn't first channel which this has happened. And some of the others have been quite small. And those have returned with if not all, at least seemingly most content present.

Youtube doesn't seem instantly to nuke channels and everything related in these cases. Even if it appears as terminated.

they have floatplane which is on separate infrastructure from ltt so that can help. there is billi billi too
The videos are just unlisted. But even if deleted YouTube can and does restore these things in similar cases.
Damn they took down so many videos, especially that toy fire truck one
It's just unlisted and description has crypto scam. https://www.youtube.com/watch?v=nDTeSb0TzbQ
Looks like the entire channel is unavailable now:

This video is no longer available because the YouTube account associated with this video has been closed.

> This video is no longer available because the YouTube account associated with this video has been terminated.

"Terminated" on my end sounds much more ominous. They very likely have a youtube rep to help out in this case.

Revenue impact will be massive.

I stand corrected, they're milking it for content. Good for them.
Looks like the hackers have caused some pretty significant damage. I'm curious to find out what the attack vector was.
There are a few possibilities I could think of:

- LastPass breach related.

- Classic phishing / session hijacking: apparently Google doesn't _always_ re-prompt for password when you change password / security device, if you have a valid session cookie.

- Poor opsec from Linus (and by association probably also the rest of their upper management team).

Luke, Linus's business partner, was recently "promoted" to CTO and has been working on their many know infra / security deficiencies. Alas, he's a bit too late it seems...

During one WAN show they did mention moving away from LastPass and Linus himself has accidentally revealed private information on streams by being logged in to the wrong account multiple times now.

However, for all we know there's a 0day in some part of the YouTube system. Maybe some (sponsored) device got hooked up to the internal network and laid dormant for a while.

I think one of the staff logged into the primary YouTube account got phished but there are so many ways this could've happened. Luckily for them, their channel is large enough that I think they'll make a full recovery once they've found out how this could have happened.

> LastPass breach related.

The unencrypted URLs are such a screw up that no one should ever trust them again. Their security related products would all fail if people understood what a disaster that is.

I was super frustrated by it because I had an old (mostly unused) LastPass vault with a shared folder and a handful of MS365 tenants along with some registrar accounts. That probably puts my vault, and the vault of anyone with access to the share, ahead of many other vaults in terms of being targeted as high value.

Luckily it was only me and 1 other person with access to that shared folder, so it was pretty easy to assess the risk. Both of us had good passwords and hadn't ever used anything weak.

Now imagine in a larger organization. What if a dozen people have access to the LTT channel? All it takes is for one of them to have used a weak password on their vault and now the identifying info that came along with the vaults becomes a huge issue because it allows them to be targeted as a high profile organization and suddenly there's a huge increase in the odds of a weak password causing a compromise.

> Poor opsec from Linus (and by association probably also the rest of their upper management team).

Ultimately they're content creators. Being tech enthusiasts means they're probably doing better than a lot of other creators, so maybe some of the blame should start shifting towards the big tech companies rather than the victims.

My hot take is that by competing to control identity the big tech companies are making the entire security ecosystem significantly more confusing for the average person and I think big tech should be taking the blame for a lot more than they do. How are we supposed to keep up with dozens of complex security schemes from different companies?

Per-user pricing also discourages good security practices because profiles are always treated as users. You see it in everything. I use multiple profiles on Windows to silo work for different people. I have to go against the grain to manage everything and now I'm supposed to buy 4 Office licenses because the licenses have been changed from per device to per user (profile). 99.99% of people will give up and use one big account.

It's the same for password managers too. I switched to Vaultwarden because I can create multiple user accounts and do a better job of keeping different roles separated.

For example, I have some high value passwords that are only ever used from a dedicated machine. In Vaultwarden I use a separate user that only gets set up on that machine. In any other password manager that's an extra user account and, by the time everything shakes out, I'd need a half a dozen accounts just to silo my data responsibly. Not a single normal person is going to pay for that. They'll use one big account for everything.

So IMO big tech takes a lot of the blame for our lack of security because they're building for profitability first and security second.

> Being tech enthusiasts means they're probably doing better than a lot of other creators

From what I've seen, LMG is a large corporation still being run like a startup. Considering how often they churn out videos about their file servers dying because they fail to do things like scrub their ZFS pools, I'm not sure how much actual tech knowledge beyond PC hardware specs they have. It's very much a lay person-oriented channel, not enthusiast-oriented.

This is exactly the kind of thing I expect from LMG. If this were to happen to, say, Level1Techs, I'd be shocked.

Why hacked? It's just Elon giving away free Bitcoin. Again...
Aaand it got suspended.
If they got access back, they neglected to reset all the stream keys.
It's moving on to the other LTT channels now.
Mac address and short circuit seem unaffected tho
TechLinked is currently streaming bitcoin scams. Perhaps all the LMG accounts were under the same Google account and the scammer is working his way down the list.
yep the channel has been suspended for tos violations now :/
A lot of YouTube channels are getting hacked recently with the same "sponsorship offer" hack. Wonder if this was the case here as well.

Paul Hibbert got hit recently. This video has more details on this works and how the bypass 2FA : https://youtu.be/YIWV5fSaUB8

ltt forum was down for 15 minutes due to everyone swarming the forum
In that thread someone points out a fake channel:

    youtube.com / @LinusTechTips2.0
It's a shame YouTube allowed dots in handle names considering the problems creators have with impersonation. Those should be reserved for domain validated handles similar to the BlueSky post a couple weeks ago [1].

As it is, I don't think there's a way to create aliases, so it's not even possible to proactively protect yourself from impersonation by grabbing all the attractive handles that would be used by bad actors.

For example, what stops me from creating @LinusTechTips.com as a handle? That looks very official to a lot of people and high value domains are recognized by a lot of normal users. I know it would get banned eventually, but that's after the creator complains and it seems a bit unfair to ask creators to police their brand while YouTube leaves the door wide open for bad actors.

In the case of a channel like LTT, if they're using @LinusTechTips as a handle I think it would be pragmatic for them to be able to ask Youtube to forbid all other @LinusTechTips* handles. That's their brand, everyone knows it's them, they've earned it, and platforms should be doing more to work with them to reduce impersonation. I say that in the context of all popular creators, not just LTT.

1. https://news.ycombinator.com/item?id=35050335

Their WAN Show is gonna be interesting this week.
If it even happens
I assume it's going to be running on their Twitch and Floatplane channels as usual
It really depends on how deep the hack goes. It’s a multi million dollar company with fairly loosey goosey IT and security practices so the damage can extend far beyond their YT account.

Financially they’ll likely take a substantial hit on both their ad revenue but also on their creator warehouse operations.

The wan show cannot be stopped
In a timely fashion, their most recent tweet [1] asks:

"We need YOU...

... to reply with a clip of your worst tech fail!

Our favorite submissions might make it into an upcoming Techquickie video."

Think this might get included? :)

  [1] - https://twitter.com/LinusTech/status/1638680638185435136
Lol, I think it's mostly a sponsor doc or windows+Android malware especially after their recent Tarkov coverage
It was sponsor document which harvested session tokens. Could've easily been fixed if IP difference was flagged or drastic changes to account put behind another login
Cryptocurrency scammer again. I assume they would be the richest and the most motivated scammers nowadays.
Interestingly also a lot of their previously unlisted videos popped up on a channel called LTTtemp following the hack.
This attack is absolutely the Google's fault, here is why (most to least severe):

1. Password/2FA change must require reauthentication

2. Session tokens must be limited to a single browser fingerprint (broser/device specific infomation)

3. Changing the password must terminate all active sessions

4. Session termination must invalidate session token for future use

5. It must be trivial to the user to terminate all active sessions

6. Serious actions like changing account handler/main info must require reauthentication

Any of the first 3 would've made such attack impossible. Any of the first 5 would've made regaining full access to the account trivial as a single button press.