LinusTechTips Twitter Account Hacked (and how to secure yourself)

Full disclosure, I did not have my Yubico security key and hardware token set up for my own Twitter/X account while recording this video -- so totally fair play to call me a hypocrite 🙃 This is a good reminder for everyone, including myself, to get that prepped and lock things down!
(And please bear in mind that the thought of this being from infostealer malware is absolutely speculation until there is some root cause analysis shared from the official sources)
((And I believe it was the LTT YouTube channel that was compromised previously, NOT their Twitter/X account, so wanted to be sure I included that correction))
(((And I've cleaned up the backup code with YouTube Studio. It was regenerated multiple times anyway, but I appreciate your concerns)))
((((And the YubiKey that I show in the video is not the YubiKey Bio, which has the gray circle and accurately makes a fingerprint template -- so I'll be getting that fixed up too!))))

_JohnHammond

It's always some kind of malware on an employee's computer, I think? Hackers often pose as sponsors and try to get YouTubers to open email attachments. Thanks for the video John.

KarlRock

Way ahead of the hackers, don't have a twitter account anymore.

dyerseve

You should not be able to make certain changes to accounts without re-authenticating. Companies like Twitter and YouTube need to do better.

jmr

Disabling 2FA without going through support should require 2FA. I mean, you need your password in order to change your password in a simple manner (you can reset it but then you need access to another account, the email), being able to just toggle off 2FA without having access to the 2FA is unforgivably bad design, something we already know is a bad idea.

Person

If infostealers can just steal your token and use it on a different device in a different country AND even change password & e-mail address... What's even the point of 2FA?
I'm mad.

puerlatinophilus

Best way to protect your twitter account is to just delete it

itsonlybrad

I think the root of the problem isn't that Linus doesn't have 2FA, it's that Twitter doesn't require you to confirm your 2FA code to make security changes to the account, which is a big no-no. He had this same criticism for YouTube when the LTT channel got hijacked. It will let you reset all the security stuff without asking for your password or 2FA code again, assuming you are who you say you are.

LinuxAvali

They Yubikey you show in the video is not a “something that you are” example because all Yubikeys except the Bio series with the black dot (so all gold dot ones) are NOT a biometric reader - it is just you tapping the button. It’s another “something that you have”.

cfagerstrom

Rather than just sending an alert that someone logged into your account from a different place in the world, that login should be challenged in the first place.

ya

Twitter's email has the energy of saying "L bozo"

cinderwolf

Imagine if browsers could keep cookies secret on a modern operating system.
We really are living in the strangest branch of this universe.

capability-snob

Didn't LTT got hacked a couple of months ago ? ...

Sick_-uck

Please do not blur sensitive information. Blackbox it completely

miss_sapphire

I still think it's crazy how logging in from a different country/location or even making password/2FA changes doesn't require re-authenticating via email or so.

Remmes

14:57 - "Try to make sure that's the only option for logging in"

Unfortunately 99% of services don't support this yet. It's even worse on mobile where security keys still aren't even remotely functional on any mobile applications I've tried despite literally being implemented

klipk

As a Bitwarden enjoyer, I feel very validated by 9:48

iCortex

Using a security key for a personal account is all well and good - but the thing that got compromised was the shared company account that needs multiple people to be able to access, to have mechanisms to kick people out when employees leave, etc.

From my understanding, twitter doesn't give you an easy way to register a dozen security keys to a single account, along with identifiers that will allow for reasonable decomissioning of credentials later. I don't think the workflow is viable to make that a defense.

jippenfaddoul

Sucks to see people get hacked, sucks more to see it happen again and again. I've been in a similar boat a few times. All you can do is learn and be better prepared for the next day, at this point.

apIthletIcc

Saying Shitter Support Is Shit Would Be An Insult To Shit.

BazilDay