“We are sponsoring” and “Make us a Background to Get Subbox!!!” were the titles of two rogue videos published by those responsible for the attack. Meanwhile, the channel’s description was modified to read “Wish to Become Sponsored? Message me.”
One message posted by the alleged hacker provides an indication of what might have happened. “I DID NOTHING WRONG I SIMPLY SIGNED INTO MY ACCOUNT THAT I MADE IN 2006 :/” he said.
This suggests that the hijacker registered in the early days of the video-sharing website. The account was claimed by Microsoft, probably citing trademark reasons, but the original email retained access to it.
It’s not clear how this happened, but in 2008 YouTube started providing users with the option of linking their old accounts with their Google ones. This action became mandatory earlier this year and might have something to do with how the previous owner obtained access now.
If the user’s email address got linked with the Google Account used by Microsoft on YouTube, he might have gained the ability to perform a password reset. “If that’s true, then it’s a colossal foul-up by YouTube that may concern other well-known brands who have established presences on the video network,” warns Graham Cluley, a senior technology consultant at Sophos.
Microsoft didn’t comment about the method used to hijack its account, but has since regained control of it and restored the deleted videos. Meanwhile, the YouTube account of the user who claimed to be responsible has been terminated for violating community guidelines.
This incident comes after Sesame Street’s YouTube channel was hijacked and used to display adult videos last week. In order to avoid falling victim to such attacks, users should employ strong and unique passwords and review their Google accounts to make sure no unwanted email addresses have access to them.