YOUTUBE CHANNELS ARE BEING HACKED! (HOW TO PROTECT YOURSELF) | #THINKPODCAST #195
Speaker 2 :
Our Youtube channel got taken over by hackers.
Speaker 1 :
And there’s so many new attacks out there, oftentimes you don’t know what you need to do to protect your accounts.
Speaker 2 :
So how do you protect your Youtube channel from hackers?
Speaker 1 :
Forbes posted this article about this YT Steeler attack, so oftentimes it’s incredibly hard to know if somebody has stolen this information until it happens. They start working so quickly to change everything around to make you lose permissions, make you lose access.
Speaker 2 :
I’m talking with a cybersecurity expert. To give us the updates we need to know right now. Recently we actually lost our Think Media podcast channel for 10 days. It was very scary. We thought all of our videos and all of our hard work was gone. And so we’re gonna be unpacking that situation and then looking into some of the things like tools and mistakes. And how creators can protect themselves not just on YouTube, but their online presence overall. And what are some of the biggest threats right now? Cyber threats are costing creators massive millions and even billions of dollars businesses it’s a it’s a horrible issue. And so I’m super excited to be with Shannon Morris, who’s here today. She’s the security and privacy advocate, and she’s an entrepreneur whose goal is to help. Inspire others to live life to the fullest while not sacrificing their identity, ethics, or privacy. And cool fact about Shannon is she built her first computer around age 9, and then later went on to teach herself HDML and simple coding while building websites dedicated to her favorite fandoms. So she’s been in the game. And she is incredible and was generous enough to reach out on Twitter when I was like we got hacked. She shared some valuable resources there. And so, Shannon, welcome to the Think Media podcast.
Speaker 1 :
Hi, Sean. Thank you so much for having me on. And that was such a sweet intro.
Speaker 2 :
I appreciate you so much. We were able to connect it VID Summit a few years back and you’ve got an incredible YouTube channel with these types of tips, but I want to first break into. Just kind of the story and those that are subscribers here know we got hacked. All the sudden our channel’s taken over. It’s changed from Think Media to Tesla official. I’ve seen this happen many times. Often times on my smart TVI see Tesla CEO or Tesla official is live and Elon is talking and I’m like that’s probably not Elon Musk but they they’re this is very common actually. They’re hacking a lot of channels of different sizes. Privateing the videos and then pushing out a live stream with prerecorded Elon Musk content and then soliciting crypto. Especially because Elon’s a crypto kind of advocate, right? And making a lot of money and a lot of friends rallied to help me with the situation here and so. The first thing is you kind of said this is maybe a YT Steeler account. Maybe you can ask me some questions and let’s unpack this situation before we maybe go a little bit macro and give tactical things for everybody listening to apply.
Speaker 1 :
Yeah, absolutely. I’m so glad that you asked me to do this video with you too, because I haven’t talked directly with any of my friends who have had their channels hacked yet. So this is a really good learning educational experience for me, so I can tell people better how to protect themselves so yeah, I’m curious. Do you know what it was that ended up allowing somebody to hack your account? Do you know what the target entry point was?
Speaker 2 :
So what we do know is that Google emailed us and they said they emailed us. The date of the hack was Wednesday, January eleventh two thousand and, three that they.
Speaker 2 :
2003 2023.
Speaker 1 :
To be sure. And what else? They’ve had access to your account for such a long time.
Speaker 2 :
Before you 2 even existed, for that matter.
Speaker 1 :
That’s amazing.
Speaker 2 :
Now what’s scary is we did have two factor authentication on and to be clear of how that works, at least the way we have it set it up is. When you log into the Youtube channel if someone else is logged in and one of our vulnerabilities is we do have multiple people working on our channels. This was also not our main channel with over 2000000 subscribers. This was our podcast channel right around 75,000 thousand at the time I think when we do 2 factor. This will happen in our world all the time. I’m watching YouTube on my phone, I’m on my desktop, and a screen will pop up and it’ll say, hey, somebody in such and such state, somebody in such and such place is trying to log in and you can approve or deny. We maybe became a little bit lax with approving and denying that. And of course we know where our team works and they’re all spread out in different states. And so whether it wasn’t me that approved it, somebody that had access that’s logged in could approve somebody else. And we believe that was the vulnerability point. And if you say try another way, it wasn’t a text message code situation that happened, it was that approve or deny. And Mel, Melissa on her team mentioned that. I think she saw one pop up, was suspicious of where it was, did not click it, but I think someone else on our team clicked to prove. And so that’s all I know that at that moment though once they got past two factor authentication. Google said they changed the code to a physical USB key. So you can coach us on that a little bit later of how powerful that would have. We had one of those but then they took over. By now we were pushed out and it was also interesting is some of our managers who did not, didn’t have authority were still in there. So they started watching them making changes. They watched them change the videos to private. They watched them and thank God they didn’t delete.
Speaker 1 :
That’s terrifying.
Speaker 2 :
Yeah, so they made the videos all private. They didn’t private the live stream. So the main page is all private. The live streams were like still public. Half of them were privated. And then what was also super funny was after the channel was hacked, it became Tesla official. They delete the out page, they changed the cover, the logo, they tried to do a live stream and one of our managers shut it down because they were allowed. So that was even funnier, like. So it’s almost like they were kind of fighting back and forth inside of there ultimately.
Speaker 1 :
There’s only so much you can do if they already have access to the.
Speaker 2 :
Highest level. And then we kicked all the managers out, so it’s just them. And we also then had a schedule upload because we uploaded our podcast on Tuesday and on Thursday. And so a video came out with no thumbnail because we had it uploaded one. And so all of a sudden my latest video dropped on Tesla official and some people saw it. And they’re like, did you get hacked? Where’d all your other videos go? Is this the right channel? Does someone still Shawn’s content and still had to reach out to? We started with tweeting YouTube on Twitter, which is what they tell people to do. Although all they did was send us to the main page where we had to fill out email and reach out to Google support. And I did, my friend Benji Travis, who, you know, coauthor of YouTube secrets. He said try to make you know, try to really blow it up and get everyone to share. I don’t think they expedited anything, which is fine. It is what it is. But it because it took a while, it was a while to get responses. It was days to get a response. It was you know, 48 hours. Then it was like a while to kind of. Go back and forth and get some things going. And so for 10 days the channel was down. But eventually mid mid that process the hacker got kicked out. But they then slowly started restoring our channel to us and then when we got it back so the attackers changed the YouTube channel name from Fake Media podcast to Tesla official i’m reading an email they sent, they summarized it right. They removed the team’s emails, no longer granting them moderator. They changed the icon Avatar banner and made all the videos change to private. And that all happened on January eleventh twenty twenty, three again well, when we discovered though that we got the channel back, we turned all the private videos back to public, had to reupload the cover and rebuild the home page and just all the different features because all of that was just kind of zeroed out. And so it’s a pretty wild story.
Speaker 1 :
It turns into a lot of work, and I think when it comes to YouTube content creator and there’s so many creators who want to get the ball rolling and want to start growing their accounts and want to start growing their channels. But if you’re growing and you’re not protecting it in an efficient manner and there’s so many new attacks out there that often times you don’t know what you need to do to protect your accounts, then you could potentially lose income. And I feel like when it comes to your channel as an example. It’s it can absolutely affect your growth on the platform because you’re not uploading during that time, and it can affect your income. And if you have a large growing channel, if you’re depending on that income, it can really hurt you.
Speaker 2 :
100 %. And what’s interesting is I had my friend Jake Larson who runs YouTube ads more for like service professionals and experts and he said five of their channels got hacked the day before Christmas. Another person who I didn’t get their permission who we both know so I don’t know if they want to know that they got hacked also got hacked in one of and their channel manager DM me and said hey we went through this we did get it back it was frustrating and so I had a lot of what was interesting is a lot of subjective but it’s this appears to be very common and it was kind of like a wave like it just was hitting a lot of different people and so you mentioned a Whitey Steeler attack and. Thomas Frank said it’s probably browser hijacking or session hijacking. So what are some of those things we can maybe tackle those of what maybe could have happened here?
Speaker 1 :
Yeah, absolutely. So just I would just, I would say like 8 months ago or so, Forbes posted this article about this Whitey Steeler attack. That’s what this attack is being called. And the whole point of it is to steal YouTube authentication cookies. And kind of in order to understand what these authentication cookies do, it’s whenever you know, hop on your computer or hop on your phone and you first log into your account, you’re clicking around inside your account. You don’t have to log in every single time you change your page. And often times you can stay logged in for like a month at a time before you have to relog into your account. And that’s because you have cookies on your computer that are saving your information and saving it as this special session. And if somebody else is able to steal the code for that session, then they could use that same information to. Bypass all the credentials and log into your account on their own computer. Even though it’s a completely different machine, it might be on a different IP address and might be in a completely different country. It can work, and in the case of the Whitey Steeler attack, a lot of people are purporting that this is probably malware that somehow ends up on your machine. That is harvesting that information, it’s harvesting the credentials, or it’s harvesting the session ID in order to steal it and gain access to the account. So often times it’s incredibly hard to know if somebody has stolen this information until it happens. And then as soon as it happens and they’re in, they start working so quickly to change everything around to make you lose permissions, make you lose access, that you end up having a closed down account for like 10 days like in your example, until you can finally. Get access.
Speaker 2 :
Back wow. And so ultimately then we could break down what, why? What are the dumb mistakes people make or just the unknowing mistakes they make that could allow and lead to malware getting on their machine? And is there also tools you recommend for maybe someone saying is there malware on my machine right now?
Speaker 1 :
Yeah, absolutely. So Malwarebytes hundred percent % of my favorite tools. It’s free and you can download it. Sometimes they prompt you to pay for the free service. You can totally upgrade if you want to, but I use the free version. A Windows Defender works wonderfully well for antivirus if you’re on a Windows computer. If you’re using Linux, or Mac if you want to switch to one of those don’t seem to be as targeted as much when it comes to these kinds of attacks. So you could totally switch operating systems, but if you’re like me and you’re a big Windows geek, then I fully understand if you wanted one too, so that can definitely help. And it seems like one of the biggest ways that people are getting attacked is through fake emails that are being sent to them. So one of the ways is maybe an attacker pretends or copies a YouTube copyright warning and they email it to you. It looks totally legit, but it’s not. So if you click on a link within that email and you log into your account that’s giving them access to your credentials, that could allow them to get access to your information. Another way is fake sponsorship or fake advertisement emails. A lot of people are getting those too, and luckily a lot of content creators have been sharing those on social media, so they’ll share screenshots and be like, I don’t think this is real, you can often times tell from the domain. But domains can also be duplicated, they can be faked. So you can’t really depend on just the domain address and an email address and an email form. Often times you have to look at more than just that. Look at the grammar. You could look up the name of the person signing the email and see if they’re on LinkedIn or social media. And you could reach out to them on social media and say hey. Are you like, did you send me this email from your PR company or from your brand? Did you actually want to sponsor in my channel? And often times you’ll get a reply like yes I did or no that’s not me. So that’s one way that you can kind of. See if somebody is sending you a fake email or see if it’s legitimate. Oh my gosh, I could go so deep when it comes to just like email protection and ways that these attackers are able to hack into content creators, YouTube’s account just through email. Often times it just comes down to making you click a fake link that sends you to a website that looks like YouTube, but it’s not so they are able to steal your credentials. So user name and password or they’re getting you to click on like maybe a PDF like here’s. Just this PDF Please check this to see what we’re looking for our sponsorship inquiry, you click on it and it downloads malware. Often times executables or malware will be embedded inside these kinds of documents like p d f ‘s or Doc X type of files and those can end up downloading onto your computer and that can be a really bad way. For them to actually get into your information and steal your cookies, steal your session ID wow And so is this also, it’s what’s called fishing or it’s related to fish?
Speaker 1 :
Yeah, absolutely yeah so fishing is, it’s, you know, the name kind of makes sense when you think about it. When you go to a lake or go to the ocean, you’re fishing. You’re fishing for fish and you’re hoping that one of them is going to stick on your line. You can then you can take it home and cook it for dinner that night. If you’re into a fish. I am. I love salmon. It’s so delicious. But online fishing is very similar. You have spear fishing where they’re directly targeting people and then you have regular fishing where an attacker might. Send out like a massive email to a ton of content creators and hopefully one of them. Hopefully one catches on to that line and downloads that malware, because if even one person does it, then it’s worth their time. Then they might be able to make some income from it. Especially if they’re sending out like live streams for you to, I don’t know, send money to a crypto wallet or something.
Speaker 2 :
100 % and I see this. In fact, you know, I use Coinbase and I’m thinking about the different emails I get and constantly it’s like. Your accounts under attack or please update your thing or you just in fact this is interesting and relevant. Once we got hacked and I started sharing on social media, I people tried to double hack me on Twitter like they started saying like yeah like oh we can help. Like oh we will help you get your account back and I’ll be looking at this little sketchy account on top of that and so you know just send us your info and we’ll so I’m like what Oh my gosh like what a what a sinister plot here of trying to hack the hacked and so and so probably somebody clicked the link maybe logged in their credentials. Click the link or open an email they shouldn’t have. And are you vulnerable from just clicking a link potentially?
Speaker 1 :
Yeah, you can be. A lot of times there are malicious websites where as soon as you visit them, they might try to start scraping data from your computer, from your session, or from your machine that you are using, and from that data they might be able to scrape enough information about it to. You know, either get you to automatically download some kind of executable or some kind of malware, or they might be able to steal enough information to gain access to your accounts. One way that you can tell if an account is malicious or not is if you which don’t click on links at all. One extension I use in Chrome is called you block origin. It’s completely free. It starts with the you block origin. And that one will trigger a little response within the browser that says, hey, this is a potentially malicious link, do you want to proceed? And it gives you the option to proceed yes or no. Often times I find that it is a little bit trigger happy when it comes to boarding you, but it’s a good thing to have if you want to be extremely cautious and extremely skeptical when it comes to links in your email. Another way to completely bypass clicking on links and email is just to go straight to. The YouTube studio. Because if you’re going to have a prompt about like a copyright notice or a warning on your account, or if there’s some kind of like advertising revenue issue, sign into your Adsense account directly as opposed to clicking on a link in your email or go to studio dot youtube dot. Com and log in directly as opposed to clicking on an email because any of those prompts you’re going to see on your dashboard they’re not just going to send it to your email they’re going to put it on your dashboard as well so that it’s very clear and you can respond directly to youtube Or you adsense or whatever some attacker is trying to steal from you.
Speaker 2 :
This video was brought to you by Streamyard. Streamyard is our go to platform for streaming to YouTube and Facebook with an incredibly easy to use interface for builtin branding, transitions, text, lower thirds and seamlessly bringing on guests. It really is one of the best options when it comes to live streaming and what’s so cool is they’ve implemented a brand new feature called local recording. Take control of your audio and video with local recordings by. Separating out your audio and video from your guests. This feature gives you the control over your content for later use, making it perfect for podcasts and video creators. Just go to streamwiththink.com to get started now. So powerful now you shared 3 tips and then you may have others in far as far as like well what do we do to protect ourselves? How do we solve this problem? And on Twitter you sent you mentioned number one. Use Ubico to protect your account from 2 factor authentication phishing. I look these up, they’re little USB keys or USBC that you plug into your physical machine. It looks like they’re right around 50. Sixty 70$ on amazon where’s?
Speaker 1 :
Mine oh, I have one here. Yes, that’s what it looks like. I have a sticker on mine so I can tell that it’s mine. That’s how I identify it. But yes, you can pick these up for, you know, less than 50 bucks. I recommend getting 2. And you can register any account online that accepts hardware tokens or hardware keys for multi factor authentication. You can plug one of those in and use it to log into your account. The way those work is you type in your username and password, you click on login and then on a next page it’ll say like hey you have to plug in your hardware key and click on it in order to authenticate your account and allow you to authenticate and log into your account. This is kind of an upgrade from using codes that are sent to your email is sent to you text message, and it’s also an upgrade from using an application that generates little 6 digit codes. And you’ve probably seen that happen a lot with like if you’re logging into your bank they might send you a six digit code, or your ISP or your email. Address even a lot of them automatically force you to set up 2FA and you might not even know it’s happening, but then you get sent the six digit code. You have to type it in within like 60 seconds to log in. The problem with that though, is when you’re typing in these codes, if somebody’s stuck malware on your computer, they could be watching your screen and they could get that code and they could get your username and password. So if they have all three of those little pieces of information that you type in, then they could log in no problem. The thing with the hardware key is they can’t duplicate it because they don’t have the hardware key. So unless they’re like in your house and they steal your key, they’re not going to be able to log in. So if they’re trying to log in with username, password, and hardware key, they’re going to get stuck. They’re going to get blocked by that brick wall made by the UBUB key. Google makes one called the Google Titan. It’s going to stop them right in their tracks and they won’t be able to log in. Now if they have somehow stolen your session ID like with the YT Steeler attack, this is the big reason why we don’t get want to get malware on our computers that could allow them to bypass 2FA But that doesn’t necessarily mean that you shouldn’t have a hardware key on your account, because that’s going to protect you from even more attacks outside of YouTube Steeler that are that might potentially try to hit you from other various circumstances. So you should be taking a kind of a holistic approach to online security and privacy when it comes to your account and trying to think like a hacker. Like think of all the different ways that an attacker could potentially get into your account and make sure that you’re protecting it even further. Try to take it a step further so you’re never the low hanging fruit because the higher up you are in terms of security and privacy, the better off you’ll be and the less likely you will be a target.
Speaker 2 :
And if you were in a situation where. Question One you’re an individual creator, so you get one of these physical keys and I will. Shannon’s got some resources and some videos on this. She reviewed some. We’ll link those in the show notes as well as. Do you recommend Ubico over Google’s Titan?
Speaker 1 :
I do, and the main reason is because they’re not very expensive. So they’re honestly it’s like it’s an upfront cost and then it’s free to use forever until like you break one or lose one and then you rebuy like just buy a new one. And it’s they have a lot of different options. So Google Titan has a few different options which will round you out pretty well, but if you want to use them across all sorts of different platforms. Like, I’m a I’m a tech reviewer, so I have like an iPhone and I have a Android device and I have a Linux box and a Windows computer. So I need all sorts of different ports, NFC, Bluetooth, whatever. So I have a bunch of different you because and that way I can use across the board, like across any of the different browsers that I have or different. Operating systems that I have. The nice thing about it too is whenever you set one of these up on your YouTube account, you can set up multiple of them. So if you’re worried that you’re going to lose one, don’t be like just buy two. Set them both up at the same time, Store 1 away in a safe. Or like if you have a bank safe at your bank, you could store it there. Just store it somewhere safe and secure where like nobody can get to it. And then use your other one whenever you need to log in. And like we mustn’t mentioned earlier with cookies and sessions allow you to stay logged in for a long period of time, so you don’t have to use it every single day. You’re only going to have to use it whenever you need to set up a new account. Set up a new computer or a phone. Or if for some reason you’ve erased all your cookies and you need to relog into your account, then you would need to use your ubico again so you don’t really have to carry it around with you everywhere. Anything like that. Like it’s not very inconvenient to use. I have one that I generally just keep plugged into my computer in a secure space, and then my other one I keep in a secure place that nobody knows about. It’s a secret place, so.
Speaker 2 :
If you’re. An individual creator getting two would be smart exactly that you just described. If you were in our case and there was some people that you wanted states apart, would you get 5 or 10 of them and mail them out and get them all so that anybody that needed to be at that level would have this physical ubico USB drive at that level?
Speaker 1 :
Absolutely, and in fact, a lot of companies have been doing that this year. For example, there’s a big company called Cloud Flare. They’re in charge of a bunch of connections online. They make sure that your connections work and they protect you from attacks on the Internet if you have a domain with them. Without going into too much detail about cloud flare themselves, they’re a very large company with tons of employees. They were attacked last year and. This attacker was trying to get into a ploy employee accounts, trying to fish them for information, trying to get somebody to get accidentally give them like their username and password in two f a code. But they got blocked because they were using hardware keys. So because the attacker didn’t have one of these hardware keys they weren’t able to get in due to that. Cause like that’s a great example of what you know us Youtubers with a team of like 20 or less people. Even more than that if you if you have a big team. You can just buy 2 per person and have each person set up a couple of them. Just walk them through. It’s really easy to set them up. Have them store 1 away, have them keep one on their keychain or whatever is more convenient for them, and then they can use that to log in. And then like every maybe every week or every month or so. You could even like ask them to delete their cookies and refresh their browser history so that if there was. Some kind of malware on their computer that was trying to steal their session ID then the session ID gets refreshed and they would have to re log in and use that new use that Ubico one more time when you mentioned that I believe her name was Melissa who had if she had mentioned that she saw the approve or deny request on her phone. So that’s an attack which is currently being used by a lot of attackers called 2FA It’s where they’re trying to. Get you to just approve it. Just approve that request, it’s called 2FA fatigue. And that’s where you just get so tired of seeing the approve or deny that eventually you’re like, oh, it must be somebody on my team. Like it’s nine, nine p, m. Whatever i’m tired. Like I’m just going to hit approve and it’s fine. Like, it looks legit, right? So it must be legit. 2fa fatigue has been used for a lot of these companies. Reddit, Twilio, I believe Uber was one of those. So a lot of companies have had their 2FA bypassed or attacked specifically because these attackers are getting smarter. So by upgrading to hardware keys, not only are you protecting yourself from, you know, potentially somebody sealing your codes, but also. These two FA fatigue requests, so make sure that everybody has one of these and it’s a much better way to protect yourself.
Speaker 2 :
I we. We’re in to FAF fatigue. I that’s and we got comfortable yeah or like any we’re like yeah this is cool. Then it’s safe. You know we’re all whether we’re logged in just approved like people are doing it all day every day and as you scale, you know this, we got to have you back sometime in the future because this is an ongoing conversation and ongoing challenge obviously because as you scale you get more people and some of the stuff. It feels like it is. It’s just it’s kind of frustrating and you’re like how do we do this at scale? How do we you know keep people safe? And another thing that might be interesting to you was we’re pretty sophisticated. Maybe the better thing to say is we are pretty unsophisticated as a company and we need to grow up and become sophisticated. And you know, I started shooting videos of course like all creators like just in my bedroom and. Solo creator and then eventually started growing to the team and even having like a website, you know now we have like an HR department like whatever but like we had a majority of people were just using their own personal emails and we just now brought that money to think media.com and so even having but even. Any thoughts on that.
Speaker 1 :
Yeah, actually that’s actually a really smart idea is to move everybody to a like think media account or something similar to that. And one thing to consider is do you publicize the email address that you log into YouTube with? And if you do, that could give an attacker extra information that they could use to potentially breach into or hack into your account. So I’ll give you an example. I use, I don’t know, I’ll use sailormoon@gmail.com That’s not really my email, address so don’t try it. But let’s say I’m using sailormoon@gmail.com to log into my YouTube account. And I put that on my about page on my YouTube channel. And I say this is how you can contact me if you want to do like ads or sponsors or promotions or whatever. And I get this email from somebody and it says there was a problem with your ad revenue and you have to log into this link and it’s to the Sailor Moon at. email.com account. The same one that I used to log in. If I see that, I’m going to think, oh, this might be legit. So I should probably check my ad revenue. So I get paid this month because ooh, I got to pay my mortgage. If you’re using a separate account for your logins, then you are for public information. Then the attacker is going to get the public email and try to email you there. But if it’s going to an email inbox that is public. That is not the one you used to log in. Then you would know immediately. That would be a red flag that somebody is trying to hack into your account, because Google is not going to send you an email to the public account when they can send it to the email that you used to log in. The legitimate Google knows what that login is, knows that email, address but nobody else should if you’re keeping it private. So why would Google send you an email to your public one? That’s a big red flag, so. Anybody out there who is just using like 1 email address to log into all your things, make your likes, just transfer your YouTube account to a different email address and make sure it’s private. Like don’t tell anybody what that email account is and then set up set it up with two FA and that way the only emails you should get there are legitimate ones from like Google.
Speaker 2 :
And I think we had changed the front facing email but because i. Started think media back in 2010 I sometimes would use it as like my main Gmail and even show people you know like business connections. So like a small group of people and that might not have been the vulnerability point, but your tip there is use a separate Gmail for your YouTube account that’s dedicated right? And that is not shared, not for in and outbound. Just for logging into your precious YouTube.
Speaker 1 :
Just yeah, just for logging in. Like just almost treat it like a password. Like you wouldn’t tell anybody your password. Don’t tell anybody what the email address associated with your YouTube account is either. That obviously is going to work better if you’re just one a one person operation. But if you do have a team, then. Maybe require them to use a separate email account to log in as well and don’t give them any access or permissions on their public email addresses smart so good. And then another tip you shared was audit online security, especially connected third party apps. Yeah, what those could be?
Speaker 1 :
So third party apps are applications that allow you to like stick addons onto your YouTube channel. Some of the ones that I use are like vidiq 2 buddy. Those are like third party addons for your account. Usually those are going to authenticate with your account via this thing code called Oauth which is a secure way to log into your Google account and basically pair the two accounts together, your YouTube account and then the. Third party addon and those are really great and very convenient because they let you do all sorts of cool things. But if you’re kind of slap happy when it comes to adding things to your YouTube account, you could add something that’s malicious. I don’t think that VIQ or two buddy are malicious. In fact I love those addons, they’re amazing and they’ve helped me grow my business. But when it comes to like other just random things that you might find out there that somebody randomly recommended, do some research, you know, see if they do their own security. Products for their own company. See if they allow you to log in via Oauth or if they require you to type in your username and password in for YouTube into their product. Because they really shouldn’t be, they should just be using authorization through Google. So there’s. If you do see any like weird third party apps that you don’t recognize, just deny them, just close them out and. Disapprove them or remove them from your account from your YouTube account on the back end and that’s one less thing that you would have to worry about. And I believe you can control what third party apps and like what browsers and what devices you’re logged into through your Google account that’s attached to your YouTube. So you can go to those settings through there.
Speaker 2 :
Is there any vulnerability? I’m a big Google Chrome user. Is there any vulnerability of having certain extensions on Google Chrome? That could make their way all the way over to mess with you somewhere else. And I’m looking at mine. I have like rackets.
Speaker 1 :
I have like 20 extensions.
Speaker 2 :
So yeah don’t worry right now I’ve got zoom one up there. We are using one pass which we can talk about that in a bit as well and one password so, but our extensions that’s different than third party. Apps connected to your YouTube channel, which we’re talking about being packed here, but any thoughts there?
Speaker 1 :
Yeah, that’s a really good question. There have been some Google Chrome extensions for the Chrome browser that were. Allowing allowing attackers to distribute malware through the extension store, like the online store for extensions where you can download and install them. So that has been found before. However, none of them I believe have been used directly associated with attacking YouTube channels, not that I know of, but that doesn’t mean that they don’t exist. So that’s another way that you could definitely like audit your online security for this holistic approach is to definitely look at like what kind of extensions you’ve downloaded, what you’ve downloaded. On your computer itself and see if there’s anything that you’re not using day-to-day for your business or for your workplace that you could just delete entirely or uninstall. That’s a really good way to protect yourself. I’m glad you brought that up, actually.
Speaker 2 :
Thinking about kind of macro as we create a game plan. And you know, I want to encourage listeners stick around because I’ve got some juicy questions just about the cyber threats we’re facing in general and thinking about the bigger picture because it could be. Yeah, hacking our money or our bank accounts or our personal identity, identity theft, we couldn’t even cover all of that. Let’s talk about some tools or some things that what are some of the cyber threats that you think we’re facing and do you recommend things? I’ll throw them at you like a VPN absolutely.
Speaker 1 :
I hope you’re using a VPN, Sean.
Speaker 2 :
I will be soon and there’s lots of different ones which are and why. And of course we’ll do a whole summary and show notes, but.
Speaker 1 :
I’m so glad you mentioned that, too. Oh my gosh, you’re asking me like, the perfect questions about security and privacy. It’s so great. I’m so excited. Vpn’s are wonderful. They’re a great way to protect your local information. And often times, VPN’s will encrypt your data so that nobody else can see your data. You do have to trust the VPN. Vn that you’re using, so keep that in mind if you don’t mind that Google is running a VPN. The Google One VPN is wonderful. It’s great for protecting your traffic, especially if you need to log into like public wifi or something like that will protect your traffic so nobody can Snoop on your data while it’s in transit. Another one that I really recommend is called Proton VPN. That one has been highly recommended in the cybersecurity community for quite a lot. Long time now and I would say those are the two that I mostly recommend now if you want to go into more details. I did do a YouTube video about some of my top VPN’s but those are the ones that I usually recommend for people to check out.
Speaker 2 :
And just give a quick breakdown. If we’re new to VPN’s maybe some of us only think, oh, the reason we should get one is so we can watch Netflix shows in another family, as all sponsored Youtubers may promote.
Speaker 2 :
Yeah entertainment.
Speaker 1 :
Channels. And then they’re like and it does a bunch of other cool stuff for you as well, but like. I know nobody ever covers the cool stuff. Nobody ever cool covers like all my favorite stuff of v p n ‘s i love everything about v p n ‘s. So it’s basically like it’s like a secret tunnel that you’re sticking your traffic through that’s owned by VPN So maybe they have a camera in that tunnel so they can see what’s happening, but it protects your data from point A, which is you to point. B, which is whatever website you’re trying to visit, or whatever online shopping service you’re trying to go to, or whatever it might be. So that way anybody that’s snooping on both sides of the tunnel can’t see what’s going on inside the tunnel. So it’s a secret tunnel. That’s the easiest way to kind of explain what a VPN is. And in order to use one, it’s very simple, you either download like a. Download the installation file for it and put it on your computer so it works with all of your different devices or all of your different programs that you have in your computer. Or you can download an app on your phone, or download an extension for your browser. Now of course, read reviews, make sure it’s a legitimate one, check the terms and service of the VPN, make sure that they don’t Snoop on your traffic and sell it to third party advertisers. If they don’t disclose that information and then they do it anyway, they could get sued. So it’s in their best interest to tell you disclose this information in their terms of service. And then yeah, you just use it every day. This does help you watch stuff. In other countries, I’ve used one to buy tickets for Japanese theme park, even though I wasn’t in Japan. It totally worked. And then I went to Japan and got cheap tickets because they thought I was Japanese. It was great, but you could also use it to protect yourself whenever you’re like on public wifi. Or you have to use like your hotel’s Internet access in order to upload a video, which don’t recommend because it’s always too slow. So it will protect you from those kind of potential attacks of somebody trying to steal your information.
Speaker 2 :
Would you recommend, as I am often times in an airport, that I’m not logging into my YouTube channel on my phone or MacBook, on airport wifi and am I vulnerable from going there?
Speaker 1 :
Don’t do it, in fact.
Speaker 2 :
Don’t log in, or don’t even open YouTube at all. Don’t even let my device turn on.
Speaker 1 :
Yeah, just turn off all your device.
Speaker 2 :
Vulnerable like if I get my laptop on airport wifi, does it now just matter what websites I go to? Or should I not even use unless I?
Speaker 1 :
Just don’t. Yeah, you can use a VPN that will help with protection. Whenever I travel, I don’t use any public wifi, whatsoever and the reason is because it’s so easy for somebody else to pretend to be that. Wireless router pretend to be that access point and surreptitiously get you to, like, basically authenticate and log into their router and log into their wifi as opposed to the real airport wifi. So you got to watch out for that, and there’s no way to tell which one is real and which one’s fake. So for example, when you go to a airport and you want to hop on like the airport wifi and you go into like all the little wifi settings on your phone. You might see a few different ones that say, like free airport wifi. I live in Denver, so Denver Airport wifi denver comcast free, wifi like, whatever it might be. And you might not know which one is the real one. So if you click on one and it says you’re connected, you’re like, all right, I’m good to go, but how do you know that that’s real? I say this because one of the companies I work for or work with created a device, a tool that is used by cybersecurity professionals to audit companies. That allows them to duplicate wifi, networks and if they’re within range of your device and your device is set to automatically connect to some known wifi, network it might automatically connect to a malicious network. So you really have to watch out for that. And you never it’s so hard to tell. So I highly recommend just not connecting to wifi no public wifi.
Speaker 2 :
Got it? Ok, scary, but really good advice.
Speaker 1 :
Yeah, kind of scary, but yeah.
Speaker 2 :
Password managers. I know that you just did a recent video about LastPass. Got like hacked again, and I say again because I feel like it’s happened multiple times. I know there’s other time. Yeah, that’s wild. Luckily, I suppose we’ve been using one pass for quite a while. Thing one, does every creator need to be using? A password service like that in today’s world yes.
Speaker 1 :
If you aren’t, what’s wrong with you? No, I’m just playing. Password managers are very good. There’s only so much information that we can remember in our minds. And when it comes to all these different devices that we’re using in today’s day and age, it’s incredibly hard to remember all those passwords. So I highly recommend using a password manager, especially if you have a lot of online accounts, because the moment that you reuse a password across accounts. Really focus on like YouTube accounts. Especially if you’re reusing that password on some other website, and that some other website gets hacked and they weren’t protecting your password correctly then now somebody has your password, and they could try it across a multitude of different websites and see which ones you were reusing it on. And if you’re reusing it on YouTube, there you go, there’s their entry point, and then you want to make sure you’re using a hardware key so if they have your password, they get blocked.
Speaker 2 :
Yeah, if we follow all your tips, then it’s like they can’t get through. You have a steel gate, you have a, you have armed guards, you’ve got lots of different things. So OK, so definitely use a password manager. Is there one you like?
Speaker 1 :
Yeah, last. Pass, no i’m just kidding. I really like roboform. They have a very easy UI It’s really easy to use, and they have an extension. Another one that I really like is called bit Warden. That one has a free option, so if you want something that’s really inexpensive, there you go. Bit Warden is free. One password is probably the most advanced one that a lot of people use. I’ve used it as well because I’ve reviewed all of these. One password has a very. Advanced and very feature Rich platform, but they’re more expensive. So it kind of depends on which one has the features that you’re looking for. Like some people really need family sharing where they can share passwords across different accounts. So everybody in their household has access to it. Like if you have Netflix in your household, you might want to share that password with everybody even though Netflix doesn’t want you to. So there are like different features and it kind of depends on. Exactly what you’re looking for. A lot of people in the cybersecurity industry really like one called keypass, because that one is, I believe it’s open source, and it also lets you do a local download, so you’re not uploading any password manager information to a cloud service. But again, that would require you to have some kind of local storage, and your local storage needs to be secure as well. So a lot of things to consider when it comes to which one you want to choose. I feel like I should make a spreadsheet yeah no, I love it. Yeah, like a comparison yeah in columns that would be a huge. And yeah, we’ve been using one port, one pass. We do love it and when you talk about it being a little bit more expensive, if you’re early on and this isn’t your main revenue generator, then bit Warden and free, you’re going to be a lot safer than others. You don’t want to be that lower hanging fruit. But I for me, especially after what we’ve been through, we are an investment in cybersecurity feels to us like it’s always a good investment and we’re not trying to look at the cheapest option. We’re not trying to. Yeah we say because we especially now can extrapolate out not only the cost of. Potential loss revenue or future revenue or how the worst case scenario of like completely losing the channel, but even just the cost of time, the cost of Peace of Mind, the cost of the frustration, it threw our whole day off and threw multiple days off. It set us back. I’m less worried about even the there was the revenue that was not generated, but then there was also our entire team was now scrambling and focusing on this instead. My friend Shaline Johnson actually had her Instagram and Twitter and a couple other accounts all hacked and her email address through social engineering they got into her whole world and it probably didn’t have to cost this much. But when it came to redoing software, redoing devices, getting kind of their whole business in place, it ended up being a hundred thousand dollar cost to their overall company as they were recovering from this and so. Sometimes you think it’s kind of almost like insurance you’re like if I actually only pay this number and I never realized the potential savings will Murphy’s law it’s like that’s maybe the exact reason why and it’s the Peace of Mind and so that’s a great one another one is there other tools and one question I have for you I’ve seen some advertised I can’t but none of the names are coming to my mind right now but maybe it was an ad on Patrick Bette David’s channel as the sponsor. About do you know that your information is on the dark web? Your passwords are probably going everywhere. This particular piece of software is going to like, scour the Internet, clean things up for you, or find things for you. Give you alerts. Is there anything else like that you recommend?
Speaker 1 :
Yeah, there is actually there’s a website that I recommend. It’s called have I been poned? Pw and Ed. It’s like owned but with a P have I been poned.com They will search online for your email. Address in leaks that have happened to big companies like Adobe had a big leak years and years ago. But in that leak one of my email addresses was exposed. So I got a notification from have I been pone.com saying hey your email address was leaked. You might want to change your password on Adobe or your email address or both just to be on the safe side because we don’t know if Adobe was protecting your password for their account. In a way that was encrypted. So I did that and then my account was safe. So that’s a really good way to kind of keep up to date with what’s going on the dark web without actually visiting the dark web. Just let somebody else do it. When you put your information into this website too, it’s totally fine. It’s totally secure. The data that they are getting from these breach from these breaches are from. Public publicly bait made breaches so anybody can see what email addresses are in these breaches. You’re just using this database to find that information and get notifications. The original creator, his name is Troy Hunt and he’s been in cybersecurity for a really long time and he did this kind of as a effort for the community to help protect people and it’s been something that I’ve recommended for like 10 years. Another option that you can use is and disclaimer, they have been a sponsor on my. Channel, but I’ve been a paying customer of theirs for longer than that way. Longer than that. Delete me, delete me.com I want to say they have a wonderful service that looks for data broker sites like yellow page sites or white page sites like Spokeo, people Finder, all that stuff. They will look for your information, your first and last name, email, address home address, which nobody. Working in YouTube once for random people showing up to your house. So they look for all that information on these data broker sites. They send opt out requests for you to force these data broker sites to delete that information. And they do it on a reoccurring basis because it’s a membership. So they do it like quarterly and then they send you a report showing you what information they found and what information they were removed. And they look at like I want to say 60 plus different data broker sites. I didn’t even know so many existed. But they help protect your information from getting out there. And when it comes to being like a public figure or being on Youtube having that little piece of comfort, knowing that there’s a company out there who is making sure that my data is not out on the web, on all these different websites is it’s a comfort to me. So I use their product like all the time. And I love it, love it, love it.
Speaker 2 :
So again, we’ll put these resources in. The show notes so many good things and Nuggets, but I put in one of my emails on. Luckily this is. My this is my kind of throwaway email like this is. I’ve actually had this email sent high school and.
Speaker 1 :
Were you?
Speaker 2 :
Related to any of our business activities, but I put it into have I been poned and there’s been 29 data breaches and six cases. Bitly Gravitar, LinkedIn, MGM Resorts, Twitter, Adobe, Animoto, Apollo, Canva.
Speaker 1 :
Oh my gosh, that’s a lot.
Speaker 2 :
You might Kickstarter, but here are these brands. All these brands Myspace stock X.
Speaker 1 :
Huge brands.
Speaker 2 :
Tumblr, Zenga Wayne Leo, I don’t.
Speaker 1 :
Even know. Oh my gosh, you know.
Speaker 2 :
What’s a paste? You’ve been found in paste is information. That’s a paste, yeah?
Speaker 1 :
Yeah that’s like if an attacker just pasted a whole bunch of emails into a into like a document, and then they threw it up on the web. That’s a that’s a paste. It’s called it like a paste bin.
Speaker 2 :
So really great resources and this is definitely time. Whether you know listening to this episode to get your life secure, your account secure think about getting the right tools in place. I definitely as we land the plane I’m excited to I think we I would love to talk again and I know that this is probably some of our favorite episodes one of the scariest episodes but you know that’s very scary you know and it’s just kind of the world we’re living in. I know that some people too want to retreat but I think it’s just about it’s just sort of you need this education and you just don’t want the right tool and you want to elevate yourself from that easy to get kind of just on. It what is funny is I was talking to one of my very close kind of OG They’ve been in on YouTube over 10 years and they were just talking about like actually how common it is for creators to still be using the same password. Maybe they’ve always been, they’ve never changed it like they’ve used it across websites and they just are unaware of this information. So this information is so powerful. Is there any other final tips or advice? That you would recommend before we hear about how our community can connect with you and some of the stuff you’re doing.
Speaker 1 :
Yeah, for sure. So if you use a password manager, it makes it really easy to know what accounts you currently own and. Every single year companies are making upgrades to their security and privacy to better protect their customers. So I highly recommend, and this is something that I do as well, doing kind of an annual audit of going through your online accounts, seeing if there’s any new like 2 factor authentication you can turn on, or if they’ve had a breach you should change your password. You can even see if there is websites that still have like old home addresses listed on them and you could change those if there’s. Websites that you no longer use, you could delete them. And if you can’t delete them, you can usually just put fake information into your account on their website. So if somebody did hack into those, then they would just have fake information. There’s a way that you can go through like an annual audit and just make sure that things are good. You know, just do it on a weekend spend, spend a weekend doing spring cleaning of your online accounts, and then you’re good to go for another year. It doesn’t have to be a complicated effort. And I feel like security and privacy can be really convenient if you use these tools and automate a lot of the processes, because a lot of it just comes down to putting in the effort at the very beginning, and then you’re safe and you’re good to go.
Speaker 2 :
One final question before your stuff do you recommend if you’re a business, small business owner? And of course for anybody people hire cybersecurity firms or consultants. Is that something you do, something you recommend? And at what level would that be necessary?
Speaker 1 :
Heck no. I do not have time to do that myself. I’m running my own YouTube channel. I have enough to do. If you do have a big business, definitely you could. You could absolutely consider that. There’s some really wonderful cybersecurity companies out there. Some of them are run by my friends. So that’s definitely something you could look into. There’s a lot of references online for cybersecurity companies. That will do like annual audits, or they will come in and make sure that your accounts and your online information is safe. And they’ll write you up a report so you can see how to protect yourself but big Caveat is a lot of those are very expensive because they’re using really expensive tools and they’re using their own time and their own teams in order to give you this information so that you can better protect yourself. So you’re looking at thousands and thousands of dollars in order to have these audits done. And if you’re running a big company, then yeah, it can definitely be worth it. But if you’re a smaller content creator, then you can use a lot of the consumer. Facing implementations of security and privacy to do similar things.
Speaker 2 :
Shannon, one of the greatest episodes of all time and so much value, you are putting out great content on your channel and for another part, I would be awesome to have you back someday to talk about you’re almost a hundred thousand subscribers. You have a second channel that is that or you’re across a hundred thousand and you’re featured on another. Account as well as a personality on there. You’re doing a lot of cool things, Hack 5 and so of course we’ll link to all of your stuff, but what do you want to shout out today?
Speaker 1 :
Hack Five’s almost to a million. I’m very excited about that too. Probably my Twitter. That’s where I’m most active. It’s at snubs SN UBS1B not two. And then my YouTube channels youtube dot com slash shannon Moore spelled just like my name. That’s where I post a lot of my tutorials, and I’m also really active in the comments in the community to help people with their own security and privacy.
Speaker 1 :
Amazing and so thick video podcast. Check out Shannon stuff. Go binge. Some of her videos will link to the channel, of course. And she will keep you in the know, keep you safe so you can ultimately build your creator business and keep your privacy locked down. And so thank you so much, Shannon, for coming on the show.
