Digital Security For YouTube Creators in 2024 (Ultimate Guide)
As the success of online content creators continues to skyrocket, YouTube channels have been facing the escalating threat of hackers. Given the fact that The Creator Economy, according to Goldman Sachs, is estimated to approach half-a-trillion dollars by 2027 — its not surprising the industry is a growing target for hackers.
Last year, Linus Tech Tips and Think Media Podcast had their channels compromised. These are creators who are incredibly knowledgeable when it comes to technology and the YouTube platform, so this should really illustrate the point that anyone can be pwned if they aren’t paying attention.
The reality is, if you’re a YouTube Creator, your brand’s security shouldn’t be an afterthought.
The goal of this article is to breakdown everything you can do to protect your YouTube channel from hackers and nefarious individuals. Some of this is very basic, some of it takes more effort. There’s also a couple things that I’ve yet to see anyone else bring up when talking about YouTube security, which I think will greatly reduce your threat level.
Let’s start with few very basic cyber security truths you should understand going in:
Your security is only as strong as your weakest link. Putting effort into one aspect of your security typically won’t offset other areas in which your security is lacking. Hackers specifically seek out weak spots in their targets — so it’s important to look at your digital security holistically.
The overwhelming majority of compromises today come from social engineering — not hacking. This is sometimes called “human hacking” and relies on manipulation and human error, rather than technical vulnerabilities. That said, for the remainder of this article, i will refer to all of these bad actors as “hackers”.
The most time and effort that goes into digital security is during the setup. This can be frustrating at first, but understand that these security techniques and principles are designed to be systems — and once they’re setup, it all becomes very convenient.
I guarantee you that if your YouTube channel or any of your important accounts are compromised, you’ll wish that you put the effort into locking down your accounts. Hindsight is 20/20. Just do it.
If you’re a content creator, you’re responsible for your own digital security. With that said, let’s lock it down.
Your YouTube-linked Email Address
First and foremost, the email associated with your YouTube channel should never, ever, ever, EVER be used publicly in any capacity. Technically, this email address is your YouTube channel. Think of the email linked to your YouTube channel as a part of your account login and nothing more.
On your YouTube profile's "About" page, you have the option to display a public-facing email address. It's crucial that this email address is not directly associated with your YouTube account, main Google account, or AdSense. Consider creating a separate public-facing business email for potential sponsors, fans, or contacts. Reserve your private email solely for your Google account, YouTube, and AdSense. Using this sensitive email address publicly increases the risk of unauthorized access to your account as it gives hackers the first piece of the puzzle that is your login. Additionally, it gives those hackers a clear target for phishing attacks.
Many people think that when it comes to their email/password for their account that only the password part is sensitive information. This isn’t true. Your associated email address should also be considered sensitive.
Don’t treat your YouTube-associated email as an email. Treat it as a totally confidential part of your login.
Important Information To Write Down
There are a few things that you should write down on paper and keep safely stored in the event that one of your YouTube channels is compromised. These are:
Your full channel url. NOT the custom one with the “@” in it, but rather the original, longer one that looks like gibberish. To find this one, go to your YouTube Studio and then go to “customization”. You’ll find it under “Channel URL”.
The exact date your YouTube channel was created.
Your usual I.P. address. You can use this website to find it.
Your backup codes for your Google account. You can generate 10 8-digit codes for your Google account that can be used in the event that you lose access to your multi-factor authentication. Make sure to generate these codes and store them somewhere safe. A couple things to note: (1) These are used when a user loses access to their MFA; not for account recovery. (2) Additionally, backup codes are revoked when users enroll in Google’s Advanced Protection Program. If you are (which you should be), disregard backup codes.
In the event that you get locked out of your account, Google support will sometimes use this information to help verify your identity. These types of things are often used for account verification on other platforms too, such as Meta’s Facebook.
Passwords & Password Managers
This advice isn’t exclusive to your Google or YouTube account, but rather all of your accounts. Weak passwords are one of the most common cyber security mistakes people make. So let’s go over a great password strategy that will increase your digital security:
Avoid Personal Info: Never use easily available details like name or birthday.
Length and Complexity: Aim for longer passwords with a mix of numbers, symbols, and cases.
Unique for Each Account: Prevent a domino effect by using distinct passwords for each platform. Reusing the same passwords for multiple accounts is perhaps one of the biggest mistakes people make when it comes to password security. It’s important to understand that when websites have a data breach (spoilers: this happens all the time), hackers can take those compromised email/password combinations and try them on every major website or app. This makes using unique passwords for all your important accounts crucial.
No Dictionary Words: Steer clear of easily guessable words, opt for unrelated terms.
Embrace Randomness: Use password managers for randomly generated, strong combinations.
A great strategy for remembering passwords comes from our friendly neighborhood whistleblower, Edward Snowden, who suggests this practical tip: Ditch traditional passwords in favor of "passphrases" – lengthy, unique phrases that are both memorable and secure. For instance, consider a passphrase like "MargaretThatcheris110%SEXY." A computer would never get it, and you'd never forget it.
One of the best things you can do for password security is start using an encrypted password manager. These allow you to generate and store all your unique passwords inside them, which are locked with a master password. You’ll be able to autofill your logins without having to remember each password yourself. This means you can generate as many longer, hard-to-remember passwords as you want without the inconvenience of forgetting them. Making dozens or hundreds of unique, strong passwords is difficult because our brains can’t remember that many. The password manager solves this issue.
If you’re hesitant about using one for security reasons, know that just about every security expert recommends them. It’s also worth pointing out that you can choose to keep entering your most important passwords manually (banks, financial institutions, social media), while still using them for all your other accounts. Additionally, you can also manually add some additional characters to the end of your generated passwords that must be entered in manually to increase security even further. This is called salt-and-peppering.
Personally, I recommend bitwarden which is probably the best 10 bucks per year you can spend.
Multi-factor Authentication (MFA)
MFA provides an extra layer of verification, ensuring exclusive access to your accounts. By combining two or more authentication methods, typically with your existing password, MFA validates your identity, enhancing the security of account logins.
Securing information involves three authentication factors: something you know (passwords, pin codes, secret questions), something you have (security keys, physical tokens), and something you are (biometrics, fingerprints). Integrating various MFA methods across these categories strengthens account protection significantly.
So, what type of MFA should I use?
Let’s go through the most common forms of MFA and their risk level.
SMS - the most widely used form of MFA. It operates without additional hardware or software. Upon login, you receive a time-sensitive code via text message. SMS is arguably the least secure form of MFA and comes with huge security risks. SIM cards are susceptible to cloning or hijacking, enabling hackers to switch your phone number to a controlled SIM card, granting access to your MFA codes.
I really can’t stress avoiding SMS MFA enough. It’s actually scary how easy it is for someone to compile and socially-engineer some basic information on someone, call their target’s phone service provider and gain access to their SIM card (and MFA codes). I also don’t like it because if you lose your phone, or service to your phone (which is common with traveling, for instance), you get screwed.
Security Ranking: BAD.Email - probably the easiest form of MFA, but also another one of the least secure. Email MFA is highly vulnerable to attacks. Also, in the case of YouTube, your email account is quite literally baked into your YouTube channel. So if one is compromised, both are compromised.
Security Ranking: BAD.Push Notifications / Google Prompts - this involves tapping on a notification on your phone to confirm it’s you when logging in. This is more secure than SMS or Email 2FA… but let me explain why I don’t like it:
While prompts are technically more secure than TOTP when the human element is removed, they contribute to "2FA fatigue," causing users to mindlessly accept prompts to expedite the process. If a hacker gets your password, they can spam prompts – which many users will mindlessly accept at some point because they’ve been conditioned to do so.
Additionally, because Google Prompts are more secure than SMS, Google has made it very difficult to remove Prompt MFA from Google accounts — unless you manually log out of your account on your mobile device, which is frustrating. The solution to this is to enroll in Google’s Advanced Protection Program, which will disable this form of MFA entirely.
Security Ranking: OKAY. (though, personally, I don’t like it.)Authenticator Apps - Authenticator apps offer a convenient MFA method, generating a random rolling token code for secondary authentication. If you choose this method, Authy is a good choice because it allows for multi-device access including via desktop apps. Simply put, a good authenticator app would be the best choice for MFA if you don’t invest in hardware keys.
Security Ranking: GOOD.Physical Hardware Security Keys - A security key is a compact physical token inserted into a PC or device for login authentication. Typically smaller than a thumb drive, users must carry it for account access. Offering top-tier security, a physical token cannot be copied, and it functions offline. The is the most secure Multi-Factor Authentication method.
Put more simply: When you login, instead of waiting for a six digit SMS code, you get a prompt to insert your security key. You insert it and tap a button. Without the key, a user can’t authenticate.
It’s resistant to most phishing attempts (more on that shortly), preventing attackers from intercepting or deceiving users. Examples of phishing-resistant MFA include FIDO2 and the WebAuthn standard, employing hardware-based security keys. This approach merges the security of physical tokens and biometrics, establishing a highly secure authentication method for user access.
Security Ranking: BEST.
In fact, let’s talk more about…
Physical Security Keys
When it comes to multi-factor authentication, physical security keys are the best way to lock down your accounts. These take the form of a physical USB drive, establishing a connection with your devices such as PCs, laptops and mobile devices. Its primary purpose is to validate identity for accessing specific resources within a network.
These keys offer versatile connectivity options, allowing them to link to devices through USB, Bluetooth, or a USB-C port.
Much like traditional OTPs and email verification, security keys serve as a means to authenticate users seeking access to accounts. But instead of verifying via an SMS text or email, users simply connect their hardware security key to the device and tap the button. You can integrate your physical security keys with as many accounts as you want.
Google Accounts not only support physical security keys, they’ve made a strong push to encourage creators and users to enroll their accounts into Google’s Advanced Protection Program. This program will require users to have two (2) physical keys, although users can setup more (recommended). Additionally, all other forms of multi-factor authentication will be disabled.
Some questions you may have:
”Why do I need to turn off other forms of Multi-factor Authentication?”
Answer: Keeping other, weaker forms of MFA enabled defeats the purpose of enabling the stronger one. As the more vulnerable ones would still be just as much of a risk. Having more forms of MFA enabled doesn’t make your security stronger. Your security is only as strong as your weakest form of MFA.
“Why do I need two security keys?”
Answer: If your hardware security key is the only way to access your account, it will be overwhelmingly more secure. But that also means you need to ensure you always have access to your physical keys. Google’s Advanced Security Program requires two. I recommend three or more. It’s not a bad idea to keep one in a safety deposit box or somewhere else especially secure.
“What security keys do you recommend?”
There are several reputable options, including Google’s Titan Security Keys. Personally, my choice has always been Yubico Security Keys. Yubico makes all sorts of keys that include various connection methods — and they’re widely considered top tier security keys by experts.
Yubico Security Keys
I use the Yubikey 5Ci — which is compatible with Apple, Android and PC. I also use the 5C NFC — which can connect to devices through USB-C or wirelessly through near field communication. Make sure to stick to security keys that are FIDO Certified.
Another good tip is: you can actually use various USB or lightning port adapters to use security keys on devices with different ports.
SIM Protection
As I mentioned earlier, it’s best to replace SMS MFA with hardware security keys, or at the very least an authenticator app. As the main risk associated with SMS MFA is SIM swap fraud.
SIM swap fraud, also known as SIM hijacking, occurs when a scammer gains control of a phone number by impersonating the victim and convincing the mobile service provider to transfer the number to a SIM card in their possession. This allows the attacker to bypass SMS-based two-factor authentication and take full control of the victim's phone and associated accounts. It has been proven to be concerningly easy for hackers to pull this off through social engineering personal information online. And most major phone service providers have a horrible track record for data breaches and other compromises.
I strongly advise not using SMS MFA, but if you insist on using it, make sure you enable all advanced SIM protection on your mobile carrier account. This often includes implementation of pre-established passwords or pin numbers to make it more difficult for a scammer to gain access — and pretty much always needs to be manually enabled (either on your online account or over the phone depending on the carrier.)
That said, just use physical security keys. We’re leaving SMS MFA in 2023.
Protect Yourself From Phishing Attacks & Session Hijacking
Okay, so you have hardware security keys and your YouTube accounts are locked down with Google’s Advanced Security Program… So that means you’re 100% completely safe, right? Sorry, not quite.
We need to talk about phishing attacks and specifically session hijacking. This was the method that led to Linus Tech Tips channel being compromised and it’s likely the method behind most successful YouTube channel compromises.
Session hijacking, also known as cookie hijacking, happens when an attacker seizes control of your internet session. The goal of session hijackers is to commandeer your browsing session, accessing personal information and passwords. You know how your YouTube account stays logged in for weeks or months at a time? That’s because your browser stores a token that tells it to stay logged into your Google account for convenience.
One of the most common ways a hacker is able to compromise a YouTube channel is by getting the person who owns or manages that channel to download malware that allows the hackers to “hijack” their session. By doing so, they can circumvent logging in and even multi-factor authentication — then ultimately change settings including passwords and security settings, thus taking ownership of the account.
The scariest part of this tactic is that because they’re hijacking your active session, MFA does not protect against this.
So how do these hackers get creators to download this malware?
This is where social engineering and phishing attacks come into play. The process begins with the perpetrator sending a phishing email to the victim, disguised as something significant, such as a message from a collaborator, an invoice or a potential brand deal. When it comes to phishing attacks against YouTubers… the most common tactic is the phony brand deal.
These deceptive emails often carry a malicious attachment, such as what seems to be a contract or a PDF file but are actually an executable file designed to inject malware into the victim's system. Once the malware is activated, it swiftly pilfers session cookies, providing cybercriminals with unauthorized access to the victim's account, all without requiring the entry of login credentials.
Many hackers will attempt to convince channel owners that they are a representative of a brand that commonly works with YouTubers (Nord VPN, for instance). Most of these will be pretty obviously fraudulent (weird domains, poor grammar, etc.) but others will seem far more legitimate. Some will look super authentic. This is why you need to be hyper aware. A lot of people have the idea that the only people who fall for email scams are elderly people with no tech savviness… but that’s not the case anymore. Phishing attempts are getting better and better.
When it comes to YouTubers, these attacks will typically involve a fake sponsorship deal. There will be some back and forth emailing discussing rates and project expectations before the hacker sends over a “contract” or other file for the channel owner to open. But instead of a contract, when opened, the file will activate malware that allows the hacker to hijack the channel owners’ browser cookies.
I’ve seen phony sponsorship emails that look almost flawlessly like the emails of the actual company they claim to be representing — right down to the branding, logos and format. Sometimes they’ll have have domains with one single character different that is hidden really well. For instance, instead of www.nordvpn.com, you might see:
nordvpm.com (one character different)
n0rdvpn.com (one character different)
nordvpn.cz (different top-level domain)
nord-vpn.com (adds a dash)
Before responding to a brand deal email, always verify the domain. Look up the brand’s official website to make sure the domains match. Additionally, avoid clicking on external links in random emails.
Generally, these attacks will target whatever your forward facing email address is on your channel. Likely the one you post publicly as a business contact. The important thing to understand is whatever account you’re logged in as will be the one vulnerable to a session hijack… even if the attacker is emailing a different, forward-facing email.
Because MFA doesn’t protect channels against session hijacking, this actually leaves a pretty gaping hole in security. But keep reading, because I’ve come up with a 200+ IQ security tip that will add a second layer of security against these attacks. (it’s actually very simple.)
Channel Permissions
First, before we get to that extra session hijacking security tip, we need to discuss channel permissions — which is relevant.
With channel permissions, you can grant other people access to your channel data, tools, and features in YouTube and YouTube Studio. There are several roles that grant varying amounts of access to secondary users. Because of this feature, it’s never a wise choice to be sharing channel account logins to your primary Owner account with employees or anyone that you want to access the channel.
Doing so creates all sorts of severe security risks, which is why this channel permissions feature exists. If your Owner account is compromised, you will lose your YouTube channel. If a secondary account that has been granted access as a Manager or Editor is compromised, you can simply revoke that permission with the Owner account. So always use channel permissions.
You can find your Permissions options in the YouTube Creator Studio under Settings:
Use a Manager Account Yourself Day-to-Day (200+ IQ Security Tip)
Okay, now that we’re all up to speed on channel permissions… Let’s get back to the session hijacking issue.
Unfortunately, even physical security keys aren’t fail proof. Even the strongest MFA won’t protect you from session hijacking. As I pointed out, the best protection from these attacks is being smart with your emails — by not clicking on sketchy links or downloading files from unknown senders. But still, phishing attacks have gotten better and better. And falling for one of these when you’re in a rush or preoccupied certainly can happen. So is there a second layer of protection?
Here’s my recommendation that I’ve yet to hear anyone else suggest.
Going back to the channel permissions options that YouTube offers: My recommendation is to create a secondary Google account to use for your day-to-day work on your YouTube channel. This will be the account you stay logged into. Give this secondary account the role of “Editor”.
Editor accounts are able to access all of the features on YouTube Creator Studio, with the exception of:
Deleting your channel
Deleting published content.
Managing permissions.
Entering into contracts.
Deleting or resetting stream keys.
Now you’ll have two accounts. Use your Editor account day-to-day. And keep your original Owner account logged out — and only log in when you need to do one of the specific tasks that only Owner accounts can complete.
What this essentially does is add one last security measure that can save your butt if you fall victim to a phishing/session hijack. If your account is compromised from a session hijack, it will only be the Editor account. The hacker will not be able to delete your channel or any of your content, and more importantly, you’ll be able to log in to your Owner account and revoke the compromised account’s permission/access.
Some will say this method is overkill — but it’s really the only security measure that will protect you from session hijacking aside from always being smart and cautious with your emails. Many will say its easy to avoid these phishing attempts, but you have to remember it only takes one screw-up to get nailed. When I originally began digging into digital security for YouTubers, my biggest concern was session hijacking because it’s the one exploit that doesn’t have an official second layer of security available to safeguard against it (since MFA doesn’t help here.)
I consider this that second layer of security.
Audit Your Signed-in Devices
Make sure to regularly audit which devices your Google account is signed into. You can do so by checking your device activity page. You can manually log out of your account on any device by visiting this page — so make sure any old or public devices aren’t kept logged in.
Build a Twitter/X Following (Yes, It’s Kind of a Security Advantage)
This one might seem odd if you don’t already use Twitter to promote your YouTube channel (Sorry Elon, nobody is calling it “X”).
Team YouTube is actually very active on the platform. Creators can actually reach out to them in the event that there’s an issue with their YouTube channels — specifically @TeamYouTube.
My recommendation is to build at least a modest following on Twitter/X. If there’s ever a time where you’re locked out of your YouTube account, this is likely the only alternative link that you’ll have with YouTube’s Creator Support Team. And the more of your audience that follows you on Twitter/X, the more they can amplify your tweets directed towards @TeamYouTube.
Is this the ideal way to deal with compromises? Absolutely not. Be proactive with the previous tips. But many creators have used this method as a last resort to have their channels returned to them.
Preventing Doxxing
Doxxing is the act of publicly revealing or publishing private and personal information about an individual, often with malicious intent, such as harassment, intimidation, or privacy invasion.
If you have a YouTube channel or any other sort of professional online presence (heck, even a personal one, for that matter), there are some precautions you should take. These are oftentimes things people don’t think about until after they cause a major problem, so it’s ideal to do these things preventatively in advance.
Don’t overshare personal information on the internet. Obviously, everybody has a different tolerance for how much they share with their audience, but I would strongly encourage creators to avoid sharing anything that reveals the exact area they live, family members, or really any personal information that people don’t need to know. Younger creators in particular have a horrible habit of oversharing everything from personal information to locations to relationships and more — and it’s simply a good idea to be more protective with what you reveal to the world.
Sign up for a service like DeleteMe. Unfortunately, we live in a world where your data is constantly being bought and sold by tech companies and other institutions before ending up on various public data brokerage websites. (Google your name, it will probably piss you off). You’ll find out pretty quickly that personal addresses and phone numbers are often accessible easily via search engine. Data Removal services like DeleteMe will actually file takedown requests on your behalf against hundreds of these sites and also monitor new ones. They’re very useful and worth the money (in my personal opinion.)
If you consider YouTube, your website or other social media your business, I strongly recommend getting a physical business address. Even if you don’t need a public physical address, you will undoubtedly need to enter one into various professional services or forms — which can ultimately end up in data brokerage websites. If you hire contractors, or send invoices to brands, or have any need for an outward facing mailing address… you really, really don’t want to be using your personal address.
Luckily, you can actually get a physical business address somewhere locally with services like iPostal1. This will provide you with a physical mailing address that you can utilize as needed for your business for about 10 bucks per month. I really like iPostal1 because they have tons of convenient locations (they’re partnered with Staples), but there are other great similar services too.
In Conclusion
I do hope all of this information has been useful to you. Taking time to tackle these security issues in a preventative way is so much better than waiting until your account is compromised. Just remember, digital security is always changing and it’s a good habit to stay informed and on top of any innovations that come our way.
Follow my on Twitter @KyleJBeauregard — and thanks so much for reading!
*note: this article contains some affiliate links to the products I’ve recommended.
