The tampering with the YouTube channels of Andrea Galeazzi, one of the best-known technology reviewers in Italy with 1.4 million subscribers on Google’s video platform, is causing a sensation. Cybercriminals have effectively transformed the platforms of the 52-year-old Milanese YouTuber into “showcases” for cryptocurrency-related scams, not through an attack conducted by violating a weak password, but with a well-studied maneuver that exploited vulnerabilities intrinsic to the authorization protocols that we use every day. In the specific case of Galeazzi, the attackers combined social engineering with artificial intelligence. They also abused the OAuth system to bypass two-factor authentication, a barrier that is always advisable to activate but which, alone, is not enough to make an account inviolable. Let’s see, therefore, how a Google account can be hacked and, above all, how to defend yourself.
How a 2FA protected Google account can be hacked
The theft of the Google account involving Andrea Galeazzi is the result of a targeted attack, which was well studied by the cyber criminals who perpetrated it. Galeazzi himself confirmed that he had lost access to his Google account and all connected services, even though two-factor authentication (or 2FA) was active. But how is it possible to hack a Google account protected by 2FA? Thanks to the abuse of OAuth authorization mechanisms through targeted phishing, which allows hackers to bypass traditional defenses thanks to a bait tailored to the potential victim. The attackers, posing as a microphone brand with which the tech YouTuber had already collaborated in the past, exploited real information (such as community complaints about the audio quality of some videos) to make the bait message as credible as possible.
It is precisely here that artificial intelligence plays a crucial role: today AI can analyze enormous quantities of public data to build psychological and narrative profiles of victims, making phishing emails almost indistinguishable from legitimate communications and drastically lowering the attention span of even the most experienced users. Everything we publish on social media (posts, comments, stories, etc.), if captured by the AI used by cyber criminals, could help the latter to construct tailor-made messages with which to try to deceive us. And you understand well that, if an email talks about facts and situations that directly involve us, they can significantly lower our attention threshold and push us to make that extra “click” that makes us lose access to our online data.
The most insidious technical aspect of this breach lies in the abuse of the OAuth protocol. To put it as simply as possible, this is essentially a standard that allows an online service or app to be authorized to access another service without disclosing private information. You know when, when accessing a service, messages like “Sign in with Google?” or “Allow this app to access your account?“Well, that’s the signal that you’re using the OAuth protocol. This all happens through the issuance of an access token made by an authorization server to a third-party client, and requires approval from the user who is the owner of the resource you intend to access.
When we use our Google account to access third-party services, by clicking on “Continue”, if the login screen via the OAuth protocol was generated maliciously by an attacker, the victim instructs Google to generate an “access token”. Since the user is usually already logged in to the browser, the system does not ask for two-factor authentication again, interpreting the action as a legitimate granting of permissions. Once hackers obtain this token they can carry out significant operations on the account, sufficient in many cases to progressively take control of the connected services.
How to secure your Google account beyond 2FA
To adequately protect a Google account, it is evidently not enough to activate two-factor authentication (which remains, together with setting a secure password, a security measure basic). We need to do something more. To begin with, it is advisable to use the diagnostic tools made available by Google, consulting them regularly. The system uses a very intuitive visual code to communicate the risk status of the account. By accessing your profile from this page, pay attention to the different icons you may find and their colors:
- Blue, indicates simple suggestions for improving security;
- Yellow, indicates important passages that should not be ignored;
- Red, represents urgent notifications that require immediate action.
Your goal, as far as possible, is to transform the icons of the aforementioned colors into a green check (as in the screenshot preceding this paragraph), the symbol with which Google marks an account that is healthy, with all protection measures active.
In addition to constant monitoring through these tools, for those who manage valuable digital assets or want the highest level of security, activating Google’s Advanced Protection Program is the definitive solution. This free system proactively blocks access to unverified apps, preventing the generation of malicious OAuth tokens, and requires the use of physical security keys for access (hardware token or passkey on your device), making any attempt to steal credentials or session theft in vain. And if this last option seems like an excessive measure to take, remember that to extreme evils… extreme remedies.
