- Classic phishing / session hijacking: apparently Google doesn't _always_ re-prompt for password when you change password / security device, if you have a valid session cookie.
- Poor opsec from Linus (and by association probably also the rest of their upper management team).
Luke, Linus's business partner, was recently "promoted" to CTO and has been working on their many know infra / security deficiencies. Alas, he's a bit too late it seems...
During one WAN show they did mention moving away from LastPass and Linus himself has accidentally revealed private information on streams by being logged in to the wrong account multiple times now.
However, for all we know there's a 0day in some part of the YouTube system. Maybe some (sponsored) device got hooked up to the internal network and laid dormant for a while.
I think one of the staff logged into the primary YouTube account got phished but there are so many ways this could've happened. Luckily for them, their channel is large enough that I think they'll make a full recovery once they've found out how this could have happened.
The unencrypted URLs are such a screw up that no one should ever trust them again. Their security related products would all fail if people understood what a disaster that is.
I was super frustrated by it because I had an old (mostly unused) LastPass vault with a shared folder and a handful of MS365 tenants along with some registrar accounts. That probably puts my vault, and the vault of anyone with access to the share, ahead of many other vaults in terms of being targeted as high value.
Luckily it was only me and 1 other person with access to that shared folder, so it was pretty easy to assess the risk. Both of us had good passwords and hadn't ever used anything weak.
Now imagine in a larger organization. What if a dozen people have access to the LTT channel? All it takes is for one of them to have used a weak password on their vault and now the identifying info that came along with the vaults becomes a huge issue because it allows them to be targeted as a high profile organization and suddenly there's a huge increase in the odds of a weak password causing a compromise.
> Poor opsec from Linus (and by association probably also the rest of their upper management team).
Ultimately they're content creators. Being tech enthusiasts means they're probably doing better than a lot of other creators, so maybe some of the blame should start shifting towards the big tech companies rather than the victims.
My hot take is that by competing to control identity the big tech companies are making the entire security ecosystem significantly more confusing for the average person and I think big tech should be taking the blame for a lot more than they do. How are we supposed to keep up with dozens of complex security schemes from different companies?
Per-user pricing also discourages good security practices because profiles are always treated as users. You see it in everything. I use multiple profiles on Windows to silo work for different people. I have to go against the grain to manage everything and now I'm supposed to buy 4 Office licenses because the licenses have been changed from per device to per user (profile). 99.99% of people will give up and use one big account.
It's the same for password managers too. I switched to Vaultwarden because I can create multiple user accounts and do a better job of keeping different roles separated.
For example, I have some high value passwords that are only ever used from a dedicated machine. In Vaultwarden I use a separate user that only gets set up on that machine. In any other password manager that's an extra user account and, by the time everything shakes out, I'd need a half a dozen accounts just to silo my data responsibly. Not a single normal person is going to pay for that. They'll use one big account for everything.
So IMO big tech takes a lot of the blame for our lack of security because they're building for profitability first and security second.
> Being tech enthusiasts means they're probably doing better than a lot of other creators
From what I've seen, LMG is a large corporation still being run like a startup. Considering how often they churn out videos about their file servers dying because they fail to do things like scrub their ZFS pools, I'm not sure how much actual tech knowledge beyond PC hardware specs they have. It's very much a lay person-oriented channel, not enthusiast-oriented.
This is exactly the kind of thing I expect from LMG. If this were to happen to, say, Level1Techs, I'd be shocked.
- LastPass breach related.
- Classic phishing / session hijacking: apparently Google doesn't _always_ re-prompt for password when you change password / security device, if you have a valid session cookie.
- Poor opsec from Linus (and by association probably also the rest of their upper management team).
Luke, Linus's business partner, was recently "promoted" to CTO and has been working on their many know infra / security deficiencies. Alas, he's a bit too late it seems...