If you use YouTube whether to watch videos or upload content please be careful of interactions with some comments and channels. Here's why.
At the moment allegedly there is a security breach on YouTube that is allowing Users to hack into your account if you interact with its comments. How likely is that? Well to be honest very unlikely but there is other ways and means, so what could it be? Its most likely an Oauth Token abuse. So you know when you visit a website and it says create account or login via YouTube, Facebook, Twitter etc well these need an Oauth Token which asks you to grant certain permissions i.e channel control, read messages, view email address etc. Now some of these like view Email Address can be used to look up old data breaches to find matching passwords and or attempt a brute force attack, and on the side of channel control well this could literally be anything, commenting, deleting videos or even posting updates you see where I'm going with this.
So who is it that's posting these comments? The alleged account names are listed as Logan, Sounds or Vakzy. There are many other accounts that have been compromised by this user called “Logan” to further spread automated comments on videos and this is where the whole story of this has come from.
They are bot accounts which have been commenting on peoples videos with comments like “Wanna Be Friends” and “Here before x amount of subscribers. Keep entertaining your fans! Also, let's build each other up”. All this was brought to light by a YouTuber called Evanz111 who made a video going deep into it which has now been picked up on by the likes of SomeOrdinaryGamers (Really go watch this video, this guy is awesome and digs even deeper into it and gives more security tips on looking after your social accounts), Optimus and Upper Echelon Gamers
After Evanz111 uploaded his video about the incident his YouTube Channel allegedly got hacked and he posted on Twitter saying that someone had bypassed his 18 digit password and also his 2fa via spoofing his mobile phone number. For me I'm asking the question of how did he 100% know it was this “Logan” account. If it was this Logan account then why wasn't the video exposing him deleted. Honestly there's soo much behind this that its something that will come out with the truth rather soon.
As a fellow YouTube content creator and user all I can do is urge you NOT to interact with any comments that seem bot like, whether thats comments saying “hi” or “Great Content”. You know your audience and you know how real people comment. Never click on any links that ask you to collaborate or anything similar if you've not communicated beforehand. Somethings seem basic and obvious to say but sometimes some comments you take as people been nice but unfortunately these are the total opposite. Of course it seems highly unlikely that interacting with a comment could cause something like this and thats why I am siding with SomeOrdinaryGamers theory that it is some miss handling with Oauth Tokens that has allowed full control over someones YouTube account and or via brute attack of finding someones email and possible passwords from previous breached data.
To save me typing out an extra 3,000 word essay on this go check out all the videos I've watched to get to know about it all below. Share this with your friends and family so they can be aware! Especially if your child comes to you talking about this video they have seen talking about the comment and the possible hacking.
To me these accounts are simply spam. Just ignore them, delete their comments if they post on your videos and just continue creating awesome content.
Any worries change your password, set your 2fa to a device/app based and just stay vigilant on what you interact with and even what you log into and what grant access they are wanting.
I will keep this post up to date as things start to be all cleared up and official reports come out about it. As always its better to be safe than sorry.