The Washington Post reports that Matthew A. Buchanan, 28, has admitted having earned more than $50,000 by taking over YouTube channels and opening them up to advertisements through AdSense accounts under his control (h/t Sophos).
He also admitted having accessed the e-mail account of the CEO of AOL in July of 2013.
Buchanan and another man, John T. Hoang Jr., apparently leveraged a flaw in Google's password reset process to take over victims' accounts. Hoang wrote software to identify more than 200,000 popular YouTube channels that didn't have advertising set up -- the two then took over the accounts and collected AdSense advertising payments for the channels, earning almost $56,000 from June 2012 to September 2013.
In one online chat between the two, Buchanan wrote, "if i don't go to jail this will be a good night for us :)"https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Buchanan will be sentenced on March 28, 2014. He faces up to five years in prison.
As Sophos' Lisa Vaas notes, this case should serve as a solid argument for enabling two-factor authentication.