I figured just in case anything crazy happens to this channel again. You can follow me on Twitter and Bsky to give updates on that type of stuff~ Twitter - x.com/Grimmjack Bsky - bsky.app/profile/grimmjack.bsky.social
YouTube/Google’s security features lead to the same hackers getting back into the channel
We fixed the problem and hope this will be the last time they get our channel!
We’ll be doing a stream soon to let all the subs we lost know we’re back, so enjoy Grimm getting beaten up by Vegeta soon
L;R
Hey everyone! Glad to be back. YouTube managed to handle the restoration in record time, which is really huge! The first time the hack happened, it was a long time without any updates and it affected both of our biggest channels, so the expediency is greatly appreciated.
The first time we lost the channels was through a browser session hack from a zip file in an email. The hackers had hacked a popular video game studio or otherwise had access to their entire press kit and approached us for an ad. The email address even looked more legitimate than the actual game dev’s email address, which was extra unfortunate for us. As soon as the zip file was opened, it launched an attack on the browser session on one of the computers we were logged in on, allowing them to pick up exactly where we already were, signed in with full authorizations and everything.
One of the biggest problems with YouTube’s security features is that once you’re in, it never prompts for your password or 2fa or biometrics or alerts your backup email or anything. You can even change the email address associated with the account without any additional verification, allowing for a hostile takeover to happen very quickly and easily. At that point, even if we had changed our password, it wouldn’t have mattered, because the attack bypassed all our security features. We got the channel back eventually after waiting for what felt like forever, reset all our security features, installed new ones as well, and hoped the lesson was to be extra wary of emails and always do full due diligence on researching anyone that reached out to us.
Sadly, that was not the end of our troubles with these guys, as they had installed back doors into our channel to let them get back in. YouTube hadn’t informed us of any of these possibilities throughout their assistance, and we barely spoke with a human being at all. The first backdoor they installed was a channel manager with full access to all of our features on the channel. We had never used a channel manager before, nor had we ever known of this feature. Even if we had known of the feature, we had no reason to use it. They used the channel manager account to change all of our videos out and install the same crypto scam streams from before, again without the need of a password or 2fa. This hack was at least very easy to recover from, as we still had full access to our channel. We simply logged in, kicked them out, reverted our settings, and called it a day.
During this time, we spoke to multiple security professionals who all advised us on multiple steps to secure the channel. We reached out to other YouTubers, both to warn them of how our situation came about, and to ask if they could give us advice. We secured our channel to the best of our ability, without any guidance from YouTube, as they were unavailable to help us at any time other than when everything was actively on fire. This led to the second backdoor they installed and the third hack into our channel, the most recent one you all saw a few days ago.
The initial hack allowed the hackers to install backup codes in our account which allow you to log in if there’s an emergency. We had never known these codes existed as we had not known about this feature. YouTube did not advise us this could be a way to log in, and SURE this way would ask for 2fa at some point, but no, this is yet another way YouTube allows you to bypass 2fa and passwords. The hackers used the backup codes they installed on the first hack and logged into our channel again, changed our settings, and kicked us out. Luckily at this point, YouTube must’ve remembered our channel was a repeat target for hackers and got us back in at record speed.
All this to say YouTube doesn’t offer much guidance on the dozens of ways into a channel, nor do they offer much support to secure your channel once it’s been hacked. There’s not exactly an easy “How To” with boxes to check and make sure things are good and no one can get in. Even the security professionals were baffled that YouTube allowed for so many backdoors in security, all without extra verification.
We’re back for now and we’ve checked as many places as we can think of to make sure there’s no way in again, so hopefully this time they’re out for good. We’ll be hosting a stream soon to try to let everyone know we’re back and try to raise some funds to restore our losses over the days the channel was down, so stay tuned for that. Grimm has got the new Sparking Zero game and will surely get brutalized by Great Ape Vegeta for your amusement. We just want to keep making the anime parody content you know us for, and if someone can keep us down, we haven’t found them yet. Thanks a ton you guys, and stay safe out there~
Grimmjack
Grimmjack
I figured just in case anything crazy happens to this channel again. You can follow me on Twitter and Bsky to give updates on that type of stuff~
Twitter - x.com/Grimmjack
Bsky - bsky.app/profile/grimmjack.bsky.social
1 day ago (edited) | [YT] | 487
View 25 replies
Grimmjack
TL;DR
The channel is back!
YouTube/Google’s security features lead to the same hackers getting back into the channel
We fixed the problem and hope this will be the last time they get our channel!
We’ll be doing a stream soon to let all the subs we lost know we’re back, so enjoy Grimm getting beaten up by Vegeta soon
L;R
Hey everyone! Glad to be back. YouTube managed to handle the restoration in record time, which is really huge! The first time the hack happened, it was a long time without any updates and it affected both of our biggest channels, so the expediency is greatly appreciated.
The first time we lost the channels was through a browser session hack from a zip file in an email. The hackers had hacked a popular video game studio or otherwise had access to their entire press kit and approached us for an ad. The email address even looked more legitimate than the actual game dev’s email address, which was extra unfortunate for us. As soon as the zip file was opened, it launched an attack on the browser session on one of the computers we were logged in on, allowing them to pick up exactly where we already were, signed in with full authorizations and everything.
One of the biggest problems with YouTube’s security features is that once you’re in, it never prompts for your password or 2fa or biometrics or alerts your backup email or anything. You can even change the email address associated with the account without any additional verification, allowing for a hostile takeover to happen very quickly and easily. At that point, even if we had changed our password, it wouldn’t have mattered, because the attack bypassed all our security features. We got the channel back eventually after waiting for what felt like forever, reset all our security features, installed new ones as well, and hoped the lesson was to be extra wary of emails and always do full due diligence on researching anyone that reached out to us.
Sadly, that was not the end of our troubles with these guys, as they had installed back doors into our channel to let them get back in. YouTube hadn’t informed us of any of these possibilities throughout their assistance, and we barely spoke with a human being at all. The first backdoor they installed was a channel manager with full access to all of our features on the channel. We had never used a channel manager before, nor had we ever known of this feature. Even if we had known of the feature, we had no reason to use it. They used the channel manager account to change all of our videos out and install the same crypto scam streams from before, again without the need of a password or 2fa. This hack was at least very easy to recover from, as we still had full access to our channel. We simply logged in, kicked them out, reverted our settings, and called it a day.
During this time, we spoke to multiple security professionals who all advised us on multiple steps to secure the channel. We reached out to other YouTubers, both to warn them of how our situation came about, and to ask if they could give us advice. We secured our channel to the best of our ability, without any guidance from YouTube, as they were unavailable to help us at any time other than when everything was actively on fire. This led to the second backdoor they installed and the third hack into our channel, the most recent one you all saw a few days ago.
The initial hack allowed the hackers to install backup codes in our account which allow you to log in if there’s an emergency. We had never known these codes existed as we had not known about this feature. YouTube did not advise us this could be a way to log in, and SURE this way would ask for 2fa at some point, but no, this is yet another way YouTube allows you to bypass 2fa and passwords. The hackers used the backup codes they installed on the first hack and logged into our channel again, changed our settings, and kicked us out. Luckily at this point, YouTube must’ve remembered our channel was a repeat target for hackers and got us back in at record speed.
All this to say YouTube doesn’t offer much guidance on the dozens of ways into a channel, nor do they offer much support to secure your channel once it’s been hacked. There’s not exactly an easy “How To” with boxes to check and make sure things are good and no one can get in. Even the security professionals were baffled that YouTube allowed for so many backdoors in security, all without extra verification.
We’re back for now and we’ve checked as many places as we can think of to make sure there’s no way in again, so hopefully this time they’re out for good. We’ll be hosting a stream soon to try to let everyone know we’re back and try to raise some funds to restore our losses over the days the channel was down, so stay tuned for that. Grimm has got the new Sparking Zero game and will surely get brutalized by Great Ape Vegeta for your amusement. We just want to keep making the anime parody content you know us for, and if someone can keep us down, we haven’t found them yet. Thanks a ton you guys, and stay safe out there~
Grimmjack team, out~
3 days ago | [YT] | 2,600
View 109 replies
Grimmjack
You can't keep a good Grimm down~
Expect more of our regularly scheduled Grimmy goodness soon!!
4 days ago | [YT] | 1,696
View 80 replies