YouTube account hacked

[AdminX]

Once again the Fool does not know what he is talking about.

https://proton.me/support/2fa-security-key

Tutanota is a good alternative, it may come down to what you prefer.

Be careful with your opinions because they are wrong. 2FA should not be used because it can be easily hacked. Remember what I wrote. A bit of information on how to hack 2FA and MFA

Great video, if only you understood it.

[Krzysztof Grzelak]

Great video, if only you understood it.

Excuse me for asking what I should understand.

[AdminX]

Great video, if only you understood it.

Excuse me for asking what I should understand.

Oh, lets see ...

That U2F and FIDO are both 2FA protocols. Your comments implies that they are 2 different things. They are both methods of 2nd Factor Authentication.

Today, no one serious uses 2FA. Because it can be easily hacked. Today U2F or FIDO is used.

Seeing as Google, Microsoft, Amazon and others now support 2FA, your comment about no one serious uses 2FA is laughable.

Not to mention your comment about Protonmail was a bold face lie, which proves you don't know what you are talking about.

I think you should give up on Protonmail due to poor security. They don't have U2F or FIDO

The video was a great video, as it shows that anything can be hacked because nothing is truly secure. Your job is to stay vigilant, and make it harder for others to gain unauthorized access to your accounts.

[Krzysztof Grzelak]

Unfortunately, we still don't understand each other. I'll stay with my opinion. I'll just write that companies like Microsoft, Google, Amazon, Protonmail should never use 2FA.

[towforce]

So, thanks for the help, but 2FA, FIDO or whatever would have been useless in this case. I use them.

My account was taken without anyone logging in.

There is a huge hole in auth in general - when you log in, you get a session key from the server which is then used as the auth for each request (I guess you know this ).

If someone gets this key, whilst you are logged in, and uses it before you log out, they are logged in.

That's what happened to me.

They didn't do a password reset or anything like that.

I didn't even get an "unusual login at location x" email. Instead, on my backup email, I received several emails in quick succession. First was "account email changed", followed by "security changed", "keys" added and finally "backup email changed".

All without ever needing to log into the account using MFA. When I went to account recovery, it asked me for the new sec. keys / backup keys the hacker set, and nothing about my original MFA. It was as if I had vanished.

Luckily YouTube seemed to know about this, and after I wrote to them the account was back within two hours.

The difficulty was knowing how to contact them!!

Edit to reiterate, as people have a hard time understanding: Not ONCE did I receive an MFA request, an email saying new login, or any sign someone else had tried to log in. They were just "in".

Thank you nevertheless.

Richard

Well this is an eye opener!

Were you using a public Wi-Fi connection (e.g. in a café) at the time? When using public Wi-Fi, you can get more security by using a secure VPN - but it's all more software you have to load and run on your device (and slower internet due to the redirection).