YouTube account hacked

[Krzysztof Grzelak]

You do realize that both (U2F or FIDO) are considered 2FA right, and that some forms of 2FA are better than others.

IF So , then you should know that Yubikey has Multiprotocol support: YubiKey USB authenticator includes NFC and has multiprotocol support including FIDO2, FIDO U2F, Yubico OTP, OATH-TOTP, OATH-HOTP, Smart Card (PIV), OpenPGP, and Challenge-Response ability to give you strong hardware-based authentication .

It all depends on what key you use. There are no better than U2F or FIDO. No 2FA will be better than U2F or FIDO.

[AdminX]

Today, no one serious uses 2FA. Because it can be easily hacked. Today U2F or FIDO is used.

If you truly understood what 2FA was you would never have stated the above and then go on to say 'Today U2F or FIDO is used', which are protocols standards used in 2FA. Do me a favor and stop trolling.

Thank You.

[Krzysztof Grzelak]

If you truly understood what 2FA was you would never have stated the above and then go on to say 'Today U2F or FIDO is used', which are protocols standards used in 2FA. Do me a favor and stop trolling.

Thank You.

I have to write it off the stupidity you write. Today it is used seriously only U2F or FIDO. And nothing more. 2FA will never be better than U2F or FIDO.

[Richard Allbert]

Hi all

My YouTube / Gmail was hacked, so I no longer have access to the Bluefever Software channel.

Just so you all know.

Yes, I'm annoyed.

Richard

If you are not already doing this, think about buying something like a Yubikey and use it for 2FA (Two Factor Authentication) with your Google accounts. Many sites support these devices these days.

So, thanks for the help, but 2FA, FIDO or whatever would have been useless in this case. I use them.

My account was taken without anyone logging in.

There is a huge hole in auth in general - when you log in, you get a session key from the server which is then used as the auth for each request (I guess you know this ).

If someone gets this key, whilst you are logged in, and uses it before you log out, they are logged in.

That's what happened to me.

They didn't do a password reset or anything like that.

I didn't even get an "unusual login at location x" email. Instead, on my backup email, I received several emails in quick succession. First was "account email changed", followed by "security changed", "keys" added and finally "backup email changed".

All without ever needing to log into the account using MFA. When I went to account recovery, it asked me for the new sec. keys / backup keys the hacker set, and nothing about my original MFA. It was as if I had vanished.

Luckily YouTube seemed to know about this, and after I wrote to them the account was back within two hours.

The difficulty was knowing how to contact them!!

Edit to reiterate, as people have a hard time understanding: Not ONCE did I receive an MFA request, an email saying new login, or any sign someone else had tried to log in. They were just "in".

Thank you nevertheless.

Richard

[AdminX]

Yeah, they need to fix that. Protonmail has a option under setting that lets you revoke all session keys which comes in handy if you login to your account from multiple systems. Glad you are back up and running.

[Richard Allbert]

Yeah, they need to fix that. Protonmail has a option under setting that lets you revoke all session keys which comes in handy if you login to your account from multiple systems. Glad you are back up and running.

Obviously I was an idiot for it to happen in the first place... so there is that!

I took a look at Protonmail - have you been using it for a long time? What do you think?

[Krzysztof Grzelak]

Obviously I was an idiot for it to happen in the first place... so there is that!

I took a look at Protonmail - have you been using it for a long time? What do you think?

I think you should give up on Protonmail due to poor security. They don't have U2F or FIDO. I recommend https://tutanota.com/

[AdminX]

Yeah, they need to fix that. Protonmail has a option under setting that lets you revoke all session keys which comes in handy if you login to your account from multiple systems. Glad you are back up and running.

Obviously I was an idiot for it to happen in the first place... so there is that!

I took a look at Protonmail - have you been using it for a long time? What do you think?

I've been using it for about three years now. It was not until this year that I went with their Proton Unlimited service for 24 months. Prior to that I was using their free email service only.

https://proton.me/pricing?ref=pvpncom

[AdminX]

Obviously I was an idiot for it to happen in the first place... so there is that!

I took a look at Protonmail - have you been using it for a long time? What do you think?

I think you should give up on Protonmail due to poor security. They don't have U2F or FIDO. I recommend https://tutanota.com/

Once again the Fool does not know what he is talking about.

https://proton.me/support/2fa-security-key

Tutanota is a good alternative, it may come down to what you prefer.

[Krzysztof Grzelak]

Once again the Fool does not know what he is talking about.

https://proton.me/support/2fa-security-key

Tutanota is a good alternative, it may come down to what you prefer.

Be careful with your opinions because they are wrong. 2FA should not be used because it can be easily hacked. Remember what I wrote. A bit of information on how to hack 2FA and MFA