A big breach occurred recently, particularly if you are among the 15 million Youtube subscribers of Linus Tech Tips. This juggernaut channel is one of the biggest technology-related spaces on Youtube and a leading authority in the digital world.
On Friday, 24 March, it got hacked.
A yet-unidentified group hijacked Linus Tech Tips (LTT) and several offshoot channels, replacing their content with a crypto scam that urged people to pay bitcoins for a (fictional) 200 percent return. Shockingly, even as the site's team tried to regain control by resetting credentials and stream keys, the attackers rebounded in seconds. And they did so without any passwords or security tokens.
To summarise, the cybercriminals first made a successful phishing attack on an employee using malware disguised as a PDF file. They then cloned the employee's entire browser, including session tokens that keep accounts logged in. Armed with this data, the criminals could continue accessing the site even though they had no login credentials.
This specific case is fascinating for several reasons. First, the attack shows how criminals can sidestep passwords and multi-factor authentication when attacking a web-based channel or application. Second, site owner Linus Sebastian has been very candid about what happened and the lessons they learned. It's rare to get such an open example of an attack, how they responded and what they should have done instead.
I jotted down several lessons that all of us, including security experts, should think about.
It can happen to anyone
LTT's people aren't clowns. They know tech, they know security, and they have strong passwords and multi-factor authentication in place. Nor was this the first time someone hacked their channel. Yet they still got caught by an attack that was already a known issue on Youtube (just not known by them). The lesson is that anyone is a target, and just because you took care of security doesn't mean you should relax your vigilance.
Files that don't do anything are a red flag
The phished employee had tried to open a PDF file. When nothing happened, they shrugged it off and went about their day. It's easy to judge this person. But we all can make such a mistake—especially with email attachments. Security training should always emphasise that if a file, especially an attachment, did nothing, inform the security team. Also, be very suspicious of Zip attachments and always look at the file's extension.
The responsibility belongs at the top
LTT is not going to discipline the employee who got phished. Instead, as the owner, Linus took responsibility and said the real problems were insufficient training and inadequate response processes. It's easy to start pointing fingers and blaming others when a breach happens. But in most cases, the criminals were simply smarter and faster. Rather than devolve into a blame game, treat breaches as the organisation's responsibility.
Have a tested response plan
It's best practice to have a tested disaster recovery plan. Yet most organisations are less thorough than they should be, including LTT. When trouble hit, the LTT team discovered they had knowledge and process gaps with their account management portal. These small details become enormous when you have to deal with a breach. Know what to do in a breach. Like a fire drill, test the individual steps.
Account credentials can complicate a response
An interesting observation from this hack is that LTT segregates user accounts only to have specific permissions. It is a great practice but must be seen through all the way. If account credentials aren't properly assigned and revoked, identifying how the attackers gained access becomes much more complicated. Segregation of rights is wise but can work against you if not managed proactively.
Keep calm (and know how to keep others calm)
Fortunately, the LTT team didn't panic. But in his video, Linus did note the importance of having people express empathy and help others to calm down. Stress can bring out strange behaviours, and panic leads to more mistakes. A tested and reliable plan is key to keeping people calm. But there should also be people in the room who promote calmness.
Balance Friction vs Access
Security and productivity are often at odds, and the need for a seamless experience can lead to removing some security hurdles. In this case, Youtube's session tokens didn't expire quickly, and the attackers could keep reusing them. While keeping employees productive is essential, be mindful that their frictionless experience can also mean a frictionless experience for the attackers (and a nightmare for the security response team).
Fortunately, Linus Tech Tips got their channels back online, and we can benefit from their experience. These lessons show just why the small things matter in cybersecurity. Let's take them to heart and continue our work to make our organisations cyber-safe.