Gmail And YouTube Hackers Bypass Google’s 2FA Account Security

April 12, 2024

35 4 minutes read

2FA protection

SOPA Images/LightRocket via Getty Images

Desperate Gmail and YouTube users are turning to official and unofficial Google support forums after hackers take over their accounts, bypassing two-factor authentication security and then locking them out. Time and time again, the attackers appear to be part of a cryptocurrency scam supposedly giving away Ripple’s XRP to those responding.

Google Users Take To Support Forums As 2FA Hackers Target Gmail And YouTube Accounts

If you scan the various support forums for Google products such as Gmail and YouTube, including Google’s own official forums and those on Reddit, you will always see desperate people asking about account recovery. These usually relate to someone forgetting the password, having their phone stolen, changing telephone numbers and so on. However, when you see a pattern emerging of people whose accounts have been hacked despite having 2FA activated and being unable to recover their accounts, you know something out of the ordinary is happening.

“They changed the two-factor authentication… account recovery is not working and sends me on a loop.”

“The hackers changed the password and the phone number and also edited the two-factor authentication settings.”

“My account, which was 2FA authenticated, can’t login, password-box says in password changed 25 hrs ago. Cannot recover because the genius hacker has changed the recovery email to the same email, and deleted my number too.”

Aside from the number of accounts compromised despite having 2FA protection in place, there appears to be another common denominator in the form of Ripple Labs cryptocurrency—or, rather, scams leveraging XRP.

Ripple Labs Issues XRP Cryptocurrency Scam Warning

Ripple has taken to X in an attempt to spread awareness of the increasing spate of attacks against Gmail and YouTube accounts which are then used to entrap readers and viewers with a variety of scams. The most common of these is what is known as a crypto-doubling scam, which promises to refund twice the amount of XRP that someone sends to what purports to be a genuine Ripple management account. Some of the compromised YouTube accounts have, for example, used deepfake generated video of the Ripple Labs CEO, Brad Garlinghouse, for authenticity.

In an X posting published 11 April, Ripple Labs warns that it will never ask anyone to send XRP and points concerned readers to advice on how to avoid cryptocurrency scams.

How Hackers Bypass 2FA Security

The answer to the question, ‘How do threat actors hack 2FA security?’ is that they don’t. They simply bypass it altogether. It’s most likely that the users who have found themselves locked out of their Google account, with passwords and 2FA details changed to prevent them from getting back in, have fallen victim to what’s known as a session cookie hijack attack. This attack most often starts with a phishing email leading to malware that can capture the session cookies that are designed to help users log in more quickly, get right back to where they left off, and so on. The trouble is, if a nefarious actor can get hold of these cookies after a user has logged in successfully, then they can essentially replay them and bypass the need for a 2FA code. As far as the site is concerned, authentication has already been successful, the user is already logged in. Forbes contributor Zak Doffman has provided an overview of this attack methodology and some of the methods being employed to combat it.

Google Says Users Have 7 Days To Recover Hacked 2FA Accounts

I reached out to Google about the session cookie hijacking problem which it acknowledged is a long existing problem for account security across the internet. “There are techniques we use and continuously update to detect and block suspicious access indicating potentially stolen cookies,” a Google spokesperson told me, “in addition to pushing forward innovations like device bound session credentials.”

For those users whose accounts have already been hacked and their second-factor and recovery factors changed, all is not lost, according to Google. “Our automated account recovery process allows a user to use their original recovery factors for up to 7 days after it changes,” the spokesperson says, “provided they set them up before the incident.”

When it comes to general account security hygiene, Google recommends they ensure the account is set up for recovery so to ensure less friction if they ever need to regain access for whatever reason. “For additional protection, we continue to encourage users to take advantage of security tools, like passkeys and Google’s Security Checkup,” the spokesperson concludes.

Follow me on Twitter or LinkedIn. Check out my website or some of my other work here.

Davey is a four-decade veteran technology journalist and contributing editor at PC Pro magazine, a position he has held since the first issue was published in 1994.

You can follow Davey on Mastodon, Twitter/X and most social networks as happygeek.

Davey has spent more than 30 years as a freelance technology journalist. The author of 25 published books, Davey’s work has appeared in The Times, The Sunday Times, The Guardian, The Observer, PC Pro, The Register, Infosecurity Magazine, SC Magazine, IT Pro and TechFinitive to name but a very few.

Along the way, he has picked up a bunch of awards from his peers, including:

‘Most Educational Content’ (2021 European Blogger of the Year Awards) – ‘Cyber Writer of the Year’ (2020 Security Serious Awards) – ‘Enigma Award’ (2011 BT Security Awards) – ‘Security Journalist of the Year’ (2010 BT Security Awards) – ‘Security Journalist of the Year’ (2008 BT Security Awards) – ‘Security Journalist of the Year’ (2006 BT Security Awards) – ‘Technology Journalist of the Year’ (1996 BT Technology Journalism Awards)