Sophos Cloud Optix
Hackers have taken control of Microsoft’s official YouTube channel, removed the company’s videos and replaced them with ones of their own.
Click here for a larger image of Microsoft’s hacked YouTube channel.
At the time of writing, the hackers are still uploading new videos to the channel. The ones we have seen so far are typically three or four seconds in length, and typically call on other internet users to post video responses, create new background images for the channel or provide sponsorship.
Another brief video, entitled “Bingo”, shows an animated character from what appears to be the “LA Noire” videogame by Rockstar Games, shooting another character in the head.
A message posted on the channel cryptically reads:
"I DID NOTHING WRONG I SIMPLY SIGNED INTO MY ACCOUNT THAT I MADE IN 2006 :/"
It seems unlikely that the change to the YouTube channel is a bizarre publicity stunt by Microsoft. After all, what would be the sense in deleting its archive of past videos – many of which are embedded on third-party sites around the world.
Although there are no details yet about how hackers managed to gain control of Microsoft’s YouTube account, the obvious suspicion has to be that a Microsoft employee who had administrative rights over the channel was careless with their password.
One YouTube user, however, has left a comment on one of the videos describing his theory on how Microsoft’s YouTube account was compromised:
This is how he "hacked" the channel:
He legittly made the account Microsoft when youtube wasn't that big but the REAL Microsoft probably asked Youtube to disable it and give it to them. The flaw is that this account was probably still linked to this kid's email and microsoft forgot to change it or whatever.
So all this kid had to do was recover this account using his old email.
Not that hard. Thats probably how the other big Channels got "hacked".
Thumbs this up so people can see!
If that’s true, then it’s a colossal foul-up by YouTube that may concern other well-known brands who have established presences on the video network.
Regardless of how the hack occurred, it’s embarrassing and inconvenient for Microsoft.
The attack comes just a week after hackers broke into the Sesame Street YouTube channel, and replaced its child-friendly content with hardcore pornographic movies.
Notice how they made the videos with iMovie from Mac OS.
Well, I'm going to say that.
Probably someone created the account Microsoft before the officia Microsoft company use it as their channel.
They probably left the account linked to the original user's email.
The "hacker" then use password recovery to reset his password using his email and there he goes.
Credits to Youtube user: wamasakky
Not a good thing. Even big companies like Microsoft should know better. Complex passwords consisting of upper and lower case letters along with symbols and numbers and a minimum length of 8 characters are the way to go. Whoever hacked in may have used brute force methods, or just simply used a dictionary attack.
What the "cryptic" comment is trying to say is this, based on some remarks in the channel comments:
1. Kid registers "Microsoft" account for the lulz when Youtube was still a fairly small site.
2. He(?) doesn't really use it.
3. It gets taken away from him and given to the real Microsoft.
4. Years later he tries to reset the password w/ his email account and it works. Clearly a bug on Youtube's part if true.
That's not really "hacking" in any criminal sense. He legitimately registered the account and used the standard account recovery mechanism, according to what these comments seem to be saying. Deleting all the videos was a dumb move on his part though. Should have stuck to just changing the wallpaper. MS could take that in good humor…
Does this mean do not go to youtube until we hear from Sophos the coast is clear?
I’m wondering the same thing. My curiosity wants me to go take a look. Kind of like the “wet paint” sign. 😉
Ahhh, my comment-in-moderation got superseded by a post edit XD Now it will appear redundant, sorry about that 🙂
holy crap, what next? Apple?
I found it hard that Microsoft did not change the registered email.
How is this embarrassing for Microsoft? YouTube was hacked. It wasn’t some custom page developed by Microsoft.
It may not be a password issue.
Maybe it wasn’t a password issue. But maybe it was.
At the moment, as far as I have heard, nothing has been confirmed.
If Microsoft staff were lax with their password security then that’s pretty embarrassing.
Heya i’m for the first time here. I came across this board and I in finding It truly useful & it helped me out a lot. I’m hoping to offer something back and help others like you aided me.