Saw a video of a youtuber that got his account overtaken (I’ll post a link to it in a bit) which has 2fa enabled (not sure which method). He says he didn’t get phished, downloaded anything and his session cookies weren’t stolen and I believe him. The only clue is that he received a sms otp from google but was invalid when he inputted it which let’s me to believe he relied on SMS for 2fa in the first place. My theory is he reused passwords and his number was overtaken but I’m not sure if that’s the case since he did receive the google otp so that leaves out the common phone rep social engineering methods of porting out and fowarding. What else could it be? My paranoia is kinda acting up
Tldr: A YouTuber’s account was hacked despite having 2FA. While unsure of the exact method, potential factors include relying on SMS OTP and the possibility of password reuse.
Difficult to tell what happened without knowing the full context.
It has happened that scammers call support, say they’re XYZ and lost their 2fa device. 2fa gets disabled and they can overtake the account in some old fashioned way.
Give us a link (with timestamp if it’s long), maybe someone can find out more.
Damn I assumed google customer reps couldn’t do that without verifying. How do you even protect from that? Besides not using one account for everything
Edit: I assumed porting out scam too but what confuses me about it was that his carrier line was still actively recieveing SMS and my understanding is that after a port out, the old sim becomes invalid/not working.
Sure, customer reps shouldn’t help with account recovery unless they get proper verification. I’m sure many companies have learned from past mistakes. I think that’s the only way to solve it. I’m not sure though if this is what has happened here… These crypto people seem to have hacked many accounts last year.
Maybe related video from Linus Tech Tips incident last march: https://piped.video/watch?v=yGXaAWbzl5A
Adam Koralik talks a bit fast and some details aren’t clear to me. For example if he got recovery mails and sms from his own actions or if this was the scammer. Also I’m not sure how 2fa works with YouTube. I certainly hope changing the account password makes it ask for the second factor or it’s next to useless. If this is the case he must have gotten phished or there is another unknown security issue in the process. Or his password didn’t get changed in the first place.
IIRC they can steal a login cookie and thereby circumvent 2FA.
this is what happened to Linus Tech Tips channel: https://www.theverge.com/2023/3/24/23654996/linus-tech-tips-channel-hack-session-token-elon-musk-crypto-scam
I’ve also seen social engineering attacks where they trick a cell phone company into cloning a SIM card
He did talk about session cookies/tokens in the video which is a possibility but I’m under the impression that this is not what happened since he was already aware of that possibility and didn’t do anything to facilitate that.
deleted by creator
Off the top of my head:
- persistent auth cookie hijack
- MITM SMS attack
With SMS I don’t think it’s MITM. If you can reprogram a sim chip (or build a new one) the phone network just sends you a person’s messages.
I think. Haven’t done it myself.
There is also SMS passive reading using LEO intercept. Hacked police email accounts are used to gain access to carrier systems where they use “imminent threat” no warrant lookups to pull the SMS in real time.
SMS is a terrible form of 2FA, better than none but not by much.
