Youtube hearted comments of D. R. Stewart (@drstewart).
-
20
-
Something to magnify is that proper security protocols are actually what saved the channel from being totally irretrievable. The concept of least privilege is so important whether we're talking about a typical home user or a CEO. Using limited accounts based on role decreases the vulnerability/attack surface significantly. There's no reason an editor should be able to obliterate a YouTube channel.
I think you handled it in the best possible way, informing viewers of what happened, working through various stages of containment and reporting. Only further investigation will allow you to determine what exactly happened, but this seems like a textbook example of spear phishing. The fact that other prominent YouTube creators are being targeted in the same way underscores this.
I think not being reactionary and firing someone based on a phishing email is the right thing to do. Yes, breaches are bad, but as leaks in every possible institution have taught us, it's not a matter of if we'll be breached, only a matter of when. Therein lies the value of good security practice such as least privilege and compartmentalization. If it was a well-formed phish (and it sounds like it was, relatively), a little understanding and compassion is well-placed. We're dealing with humans here, not ACLs.
2