Several YouTubers are in the process of restoring their accounts after becoming compromised by hacker group OurMine. On Oct. 30, the hacker group altered the titles and descriptions of videos on multiple YouTube accounts through the tech platform and third-party YouTube service VidIQ, according to Tubefilter.
By VidIQ’s latest tally, OurMine accessed at least 12 accounts through the service. YouTubers KittiesMama, Peter Hollens, Fangs, ToyTrains4u, and Gizzy Gazza confirmed with the Daily Dot that their accounts were compromised through VidIQ. During the hack, OurMine changed YouTube video titles to, “Hacked By OurMine – ourmine.org ( read the description ).”
Cached Google search results reveal that OurMine changed the videos’ descriptions to, “Hey, we are a security group, don’t worry we are just testing your security, please change all your passwords and also please contact us for security tips.” OurMine also included an email address.
Ourmine is back. pic.twitter.com/IhDc1lo9dH
— KEEM 🍿 (@KEEMSTAR) October 30, 2016
A Google search using OurMine’s swapped title showed that YouTubers Lance210, iJustine, tmartn, and Bajan Canadian were also compromised during the hack, though the account holders did not return requests for comment.
YouTuber Steven Suptic was also hacked by OurMine during the same series of hacks, but told the Daily Dot that he doesn’t believe he was targeted through VidIQ.
VidIQ’s service allows YouTubers to manage and optimize their videos, and they can change video titles and descriptions through the platform. According to VidIQ’s Twitter statement, the company determined that OurMine accessed passwords to VidIQ accounts through “third-party database dumps,” and did not breach the company’s servers.
As a follow up to yesterday. We'll be standing by for any questions! pic.twitter.com/BRh9QET6cr
— vidIQ 📈🚀🎉 (@vidIQ) November 2, 2016
Jennifer, the mother of the children behind YouTube channel KittiesMama, told the Daily Dot that VidIQ CEO Rob Sandie told her that the compromised accounts had common passwords. However, Jennifer doesn’t fully believe that story.
“I am not completely convinced that it was my password. I don’t know if there was an exploit in [VidIQ’s] software that caused this,” Jennifer said. “I’m skeptical… Our passwords are kind of crazy… with letters and numbers, and punctuation. I mean, it’s even hard for me to remember.”
Jennifer said that she first realized the KittiesMama account had been hacked on the morning of Oct. 30, after receiving texts from both her daughter and a friend. She said about two pages-worth of videos had been changed. After talking with Peter Hollens and a contact of iJustine’s, Jennifer and Hollens determined that VidIQ was the service that all three hacked accounts used.
After Jennifer contacted VidIQ, Sandie told her they would be unable to restore her YouTube channel—they didn’t have back ups of the channel because she didn’t have a paid subscription to the service. Jennifer then disconnected VidIQ’s access to the channel and was able to manually change back the video data using cached Google search results.
YouTube has since restored the KittiesMama account.
“For me, I feel like it was fairly minimal damage. As far as views and things, we had a slightly lower view count [on Nov. 1] than normal, but it didn’t completely wipe out our channel,” Jennifer said. “I feel like we’re pretty good for what it was.”
Other YouTube channels had a rockier experience.
Hollens, a musician, had been hacked by OurMine a day prior, on Oct. 29. OurMine had used VidIQ to change the data to every single one of his videos, dating back to 2011. Hollens told the Daily Dot that YouTube hasn’t been as responsive as they have been with Jennifer’s account, and that he’s still in the process of manually reverting his videos nearly a week later.
The hack couldn’t have hit Hollens at a worse time. He had just released a new album the day prior, and was trending in the top 100 albums chart on iTunes. With all of his video data changed, his videos weren’t getting picked up by YouTube’s SEO and his click-through rates on the album dropped. Even worse, Hollens’ Twitter account had been hacked by OurMine just two months prior.
“It’s frustrating because I literally am the person that figured out that it was VidIQ, and I stopped it from going any further,” Hollens said. “It was a huge snafu, but in the end it was just a blip. But it was really frustrating staying up until four o’clock in the morning two days in a row trying to change everything back, and I still haven’t even finished it all.”
Hollens also said VidIQ’s handling of this situation appeared sketchy. According to Hollens, Sandie told both him and Jennifer different numbers for how many VidIQ accounts were compromised. The 12 accounts discussed in VidIQ’s Twitter statement differed from the number originally given to Jennifer.
“And then [Sandie] comes out and starts blaming everyone else,” Hollens said. “It’s just like, sure, OK, you have to do that to save face. Just be real. If you messed up… say the truth. The truth will literally set you free. It’s hard at first, but let that shit go.”
Ian Phillips, the account owner of ToyTrains4u, was online during the hack. In 20 minutes, OurMine had changed the titles and descriptions of the channel’s 25 most recent and 25 most viewed videos.
“It was scary refreshing our video manager page and every refresh seeing another video changed. It had an instant effect on our real-time view count, which started going backwards,” Phillips told the Daily Dot. “The day was awful but you just have to roll your sleeves up and deal with these things.”
Phillips restored the data manually, and said the OurMine hack has made his team reexamine all aspects of password control by exposing a weakness.
“If you give permission to a third party to access some of your data through an app or extension, then the security for accessing that app or extension should be as good as the primary site. If not you are potentially at risk,” Phillips said.
YouTuber Jessica Fangs told the Daily Dot that she manually changed her video data back and simply changed her passwords. Gary, the man behind YouTube account Gizzy Gazza, told the Daily Dot he informed his audience about the hack via Twitter then actually did contact OurMine for help.
“[OurMine] was actually very easy to work with and only just wanted me to change my password, which I did. Once I did they changed most of my titles and descriptions back to normal,” Gary said. “I honestly never thought it would happen to me.”
The Halloweekend hack is just the latest in OurMine’s run of recent security compromises. In June, OurMine hacked the Quora and Twitter accounts of Google CEO Sundar Pichai, as well as the Pinterest and Twitter accounts of Mark Zuckerberg. The team took over news site TechCrunch for a morning in July, and attacked BuzzFeed last month.
Though Fangs and Phillips didn’t fault VidIQ for not having two-step authentication available on their application, which could have prevented the hack, Gary said that VidIQ wasn’t of much assistance after his account was compromised.
“They just emailed me basically giving me a heads up I was hacked. My manager and the hacker themselves helped more than VidIQ,” Gary said.
While Jennifer said Sandie told her VidIQ would be adding two-factor authentication in the future, she’s wary to use the service for the time being.
Jennifer hopes other YouTubers use this hack as a cautionary tale and better secure themselves when it comes to third-party applications. She also called upon apps to use two-factor authentication, or Google Login to forgo a separate password entirely.
“Your security is only as good as the apps that you’re using,” Jennifer said. “I am on the fence about [VidIQ] right now… If VidIQ gets their stuff fixed, I’m not against using them again.”
Hollens’ opinion of third-party applications is much more unforgiving— he’s completely done with VidIQ, and doesn’t believe he’ll give third-party access to any of his social media accounts in the future. He also wants other content creators to be vigilant of which accounts they’re potentially giving hackers access to through third-party apps.
“Especially now in this day and age, we have to be so incredibly careful of what we give access to,” he said. “Those smaller companies, God love them, don’t have the ability, the security, to stop stuff like this from happening. My entire livelihood is on social media, I just need to be away… From my perspective, no one should ever use [VidIQ] again. It’s kind of like one of those ‘one shot and you’re out’ kind of things.”
VidIQ did not return multiple requests for comment.
Update 5:02pm CT, Nov. 4: Sandie replied to a request for comment with the following statement, which says VidIQ has paused YouTube management operations until clients enact the company’s two-factor authentication feature: “We started this company in 2013 to help creators grow on YouTube. When we heard these accounts were compromised, it was extremely gut-wrenching to hear. The hackers are keen to point out that they used common email/password combinations and our server logs support exactly that. We have added a number of security improvements since Tuesday and have paused YouTube write actions until our users enact two-factor authentication with us. We are deeply sympathetic towards the twelve compromised accounts, and we’ve taken actions to make sure this never happens again to any of [the] users.”
This post has been updated for clarity.