This is a companion discussion topic for the original entry at https://www.youtube.com/watch?v=7FLobfFLhdg
They made a video about the hack.
Edit: It was a session token attack as discussed in Techlore’s video. And they already had a strong password and 2FA enabled. So the discussion question here is, can auto deleting browser data, let’s say every 24 hours make one less susceptible to such attacks?
Set up “Clear browser data on exit” and every evening close the browser.
Cool to be right! It could have, if the affected sales rep didn’t log back in between the time their browser data was cleared and they opened the malicious PDF, but given that their full-time job is YouTube, that seems unlikely. I wrote a follow-up article after Linus’ video about why this is really more Google’s responsibility to fix rather than anything the LTT team could have done better (although there are certainly a few improvements for LTT to make as well).
I think this is an important lesson for everyone regarding security. Your security is always as good as the weakest link. You may be using an offline password manager like KeePassXC and have your account secured with a FIDO key. But all it takes is some kind of malware getting into your system and stealing your session cookies.
It’s very important to constantly audit your security practices and see what can be improved. Try to develop good habits like signing out from websites when you are done using them for the day. And use private browsing when you need to login to an account you don’t do very often.
Of course the best would be to set “Clear browser data on exit” in your browser like @Ambrosio suggested. But that is not a solution for everyone.
An extension like Cookie AutoDelete can also be a good option if set up properly. You can for example whitelist cookies used for storing settings on websites you use often. While you let it wipe everything else. Cookie AutoDelete can also delete cookies when you leave a website instead of relying to you closing your browser window.
The hack happened because Linus didn’t implement a proper protocol to ensure his channels (which are his main source of income to my knowledge) don’t get compromised.
Opening email attachments from people you don’t personally know on a work computer is an awful idea. If you have to do it, the right thing to do is to open attachments in an isolated computer that you don’t use to sign in to any online accounts, and preferably inside a sandboxed virtual machine.
It’s important to remember that Google is an ad business, and that’s what makes them money, which means that’s what they care about. They don’t directly make money from being a secure platform, and therefore security isn’t their priority. The website is very poorly designed when it comes to cybersecurity. The proof is right there: someone was able to change everything about the channel, from the channel name to the @handle, then repeatedly start several streams, and mass delete thousands of videos, without being asked to reauth even once.
Most grocery stores where I live have better security than this, and this is no exaggeration. If an employee tries to enter the price for an item manually instead of scanning the barcode, the software will ask for the supervisor’s password.
If you still have to use Google’s apps or services, don’t expect Google to have any measures in place to help you when it comes to securing your account. You’ll have to do everything yourself.