YouTube has just suffered a major security breach at the hands of OurMine (again). Here’s everything you need to know about protecting your account — now, and in the future.
Updated: April 14 1:30 pm PT.
In case you thought your YouTube account was safe and protected, OurMine has a newsflash for you. It isn’t.
Late yesterday (Thursday, April 13th), the ‘security group’ hacked into several YouTube accounts while altering titles and descriptions. The group hailed the breach as the ‘biggest YouTube hack in history,’ with thousands of videos affected. That follows an earlier attack on April 1st, all of which is exposing ongoing security holes at YouTube.
On the latest attack, it looks like YouTube network Studio 71 was a specific target of the breach. It also appears that they are the only target this time around. In total, Studio 71 represents thousands of channels, though not all of them were affected. Affected channels included RomanAtwoodVlogs, JustKiddingNews and Wranglerstar, among others.
Here’s what we’ve learned about this hack, and our recommendations for protecting yourself.
This was not a ‘malicious’ hack.
You could argue that all hacks are inherently malicious. They are certainly not in the best interests of those being affected. At best, they are annoying or funny. But OurMine is actually not trying to remove content or permanently alter it. Instead, they are making a ‘statement’ about broader internet security, while drumming up business.
Importantly, OurMine is also reverting hacked changes back to their original state.
Actually, OurMine says they routinely hack high-profile networks to help you. “We have no bad intentions and only care about the security and privacy of your accounts and network,” the group said. Affected accounts definitely don’t agree with this, especially since their altered titles meant they couldn’t be found in search results.
So maybe this depends on your perspective. But it also sucks if you are trying to edit, update, or publish new stuff to an affected channel. Because then you’re losing actual content, even if it’s just comments.
That said, this is all turning out to be short-term damage. So maybe the best advice is to take a break, and stop freaking out if you’ve been affected.
The basics: update passwords, check admin access privileges.
This is probably a good time to refresh some security basics. Update your password to something difficult. Please, please… no ‘12345678,’ ‘admin,’ or ‘passw0rd’ passwords. That’s just amateur. You are begging to be hacked.
Also, make sure to limit admin access only to people who need it. That includes anyone who needs to upload, remove, edit, or handle important tasks. Older collaborators should be nixed — not because they’ll hack you, but because their accounts open another potential node for hackers to exploit.
Revert to a backup point.
YouTube has already contained the problem, plugged the leak, and has backups for affected accounts. Essentially, YouTube can revert an affected account back to an earlier backup point, though you might lose some comments or recent updates. Actually, it looks like OurMine has already beat them to it.
If you’ve been affected, contact YouTube regarding reverting to a save point.
That said, anything added after the hack might be hard to preserve (especially since the hacked alternations need to be removed). So even though this hack is claimed as benign, it could create a lot of problems for channel owners.
Warning: this isn’t the first attack. And it won’t be last attack.
Even if you’re account was compromised by OurMine, it’s probably reverted back already. But know this: basically anything on the internet can be hacked into. That goes for your social accounts, as well as more private accounts like email and bank accounts.
If you’re lucky, a hack like this one is the worst you’re experience. But if the internet is a big part of your creative life, you’re almost guaranteed to suffer a breach.
Make sure to have backups. But that’s just the beginning.
Most musicians post all sorts of videos on their channels, including produced music videos and live performances. Make sure that YouTube isn’t the only place this stuff exists! Having a ‘base’ for all your material is necessary. You can use a cheap cloud-hosted storage solution like Dropbox or Google Drive to store all of your assets. Easy.
More importantly, assets you create shouldn’t be made for YouTube exclusively. Instead, you should be publishing across a range of different social networks, now and in the future. Talk to fast-rising video monetization companies like Vydia, and they’re canvassing a broad range of platforms — YouTube, Facebook, Instagram, Twitch, whatever. And they’re tracking everything (and you should, too).
But having a central repository of your assets (audio, video, whatever) is critical for protecting that content as well. Because when the next hack arrives — and it will — you’ll have your core library to fall back on.
If you are a high-profile, large account, take extra precautions.
If you’re big, you’re a target, both for benign (white hat) and malicious (black hat) hackers. That means checking with your MCN (if you have one), YouTube itself, plus outside security consultants to make sure your account is safe. Routine security checks will oftentimes unearth vulnerabilities and issues, and help to prevent major attacks and downtime.