YouTube channel hijacks usually start in the Google Account layer or in delegated channel access on a Brand Account. The recovery order is fixed: secure Google, remove unknown channel access, then check live streams, deleted or private videos, and monetization links before the attacker can reuse the same path.
| Signal | First move | Why it comes first |
|---|---|---|
| You are still signed in somewhere | Secure the Google Account, then review security events and devices | A live session is the fastest control path. |
| You are locked out | Use Google account recovery and keep the attempt consistent | Recovery systems score device and history patterns. |
| Channel uses a Brand Account | Open Studio Permissions and remove unknown access | Delegated access can survive a password reset. |
| There is a scam live stream or monetization change | Preserve evidence, then inspect live-stream and payout settings | Revenue and trust damage can continue after sign-in is fixed. |
If you only do one thing: secure the Google Account first. If the inbox or password reset path is still exposed, the attacker can come back after you clean YouTube.
Start here
Check three surfaces before you make changes: the Google Account, the channel permissions list, and the live or monetized content surface. If the incident started with a sponsorship email, a fake copyright notice, or a downloaded file, check how to detect spyware before you sign in again from that same device.
- Google Account security events and signed-in devices.
- Channel permissions or Brand Account access.
- Live streams, private videos, deleted uploads, and monetization links.
If you are already stuck out of the Google Account, use recover a hacked account when you cannot sign in as the lockout branch.
Secure the Google Account layer
Everything in YouTube inherits from Google. If the attacker controls the Google Account, channel changes are temporary.
- Change the Google Account password from a clean device and store the new password in a password manager.
- Turn on strong 2-step verification, and prefer passkeys or security keys where your workflow supports them.
- Review recent security events and signed-in devices, then sign out devices you do not recognize.
- Review connected apps and revoke suspicious OAuth access.
If the Google Account itself needs hardening after recovery, use how to secure your Google Account as the identity-layer checklist.
Common mistake: fixing the channel before the inbox and Google session are stable. That usually buys the attacker time, not safety.
If you cannot sign in
Start with Google account recovery. Google says recovery works best when the device and location history stay consistent, so use a familiar device and network if possible, avoid VPNs, and keep your answers consistent across attempts.
Google also says suspicious YouTube activity can include videos you did not upload, comments you did not make, and unfamiliar changes to channel name, profile photo, descriptions, email settings, or sent messages. That is the signal that you are dealing with a takeover, not just a login glitch.
If recovery emails or alerts mention changed password or recovery info, use the revert path from the most recent alert if it is still available. Do not jump between devices and guesses, because the account history is part of the recovery score.
Safety note: ignore third-party “channel recovery” offers. Recovery should run through Google and YouTube only.
Brand Account permissions and roles
If your channel is linked to a Brand Account, Google says channel permissions are managed exclusively through YouTube Studio. That matters because many hijacks are really access-control failures, not password failures.
Use YouTube Studio, open Settings, then Permissions. The primary owner can invite people, set access levels, and move from older Brand Account user access to channel permissions. If you are still using password sharing, move off it. Google explicitly says channel permissions reduce the security risk of shared passwords and privacy problems.
Google's current help docs describe these roles at a practical level: owners can manage channel permissions, live streams, live chat, and linked Google Ads accounts; managers can manage permissions and live streams; editors can work on content but do not get permission control; viewers are for monitoring. If you see a name you do not recognize, remove access immediately.
- Check who is listed as owner, manager, editor, or viewer.
- Remove unknown users before you publish anything new.
- Confirm the primary owner is still you or your organization.
- If the channel still uses old Brand Account access, migrate to channel permissions instead of leaving password sharing in place.
For the current migration flow, Google’s help page on migrating from Brand Account user access to channel permissions is the canonical reference.
Rule of thumb: if an unknown manager or owner still exists, the channel is not recovered.
Scam live stream containment
Hijacked channels are often used for crypto giveaways, investment scams, or “support” impersonation in live chat. If a live stream is running, preserve evidence first, then remove the access path that allows it to restart.
- Capture the stream URL, title, timestamps, thumbnails, and live chat before you clean anything.
- Remove unknown access in YouTube Studio Permissions as soon as possible.
- If you still have access, end the stream and change the channel state from a clean session.
- Keep the evidence factual. Avoid speculation about attribution until you have proof.
YouTube’s permission docs show why this matters: owners and managers can use live streams and live chat from the channel. If an attacker holds one of those roles, the scam can continue even after you change the Google password.
Deleted or private video triage
Google says a compromised YouTube channel can show videos you did not upload, comments you did not make, or unfamiliar changes to the channel name, profile photo, descriptions, email settings, or sent messages. Treat those as content-integrity changes and document them before cleanup.
- List the videos, playlists, and posts that changed.
- Capture URLs, titles, thumbnails, and timestamps for anything that disappeared or went private.
- Check drafts, scheduled uploads, private content, and playlists for attacker changes.
- If you have source files or exports, use those to rebuild the channel after access is stable.
Do not wait to archive what still exists. The safest recovery path for removed content is usually your own backup, not a later guess about what YouTube might still expose.
Monetization and payout checks
If the channel makes money, review the money path too. Google’s product linking page says you can link or unlink YouTube channels and videos with Google Ads accounts, and only approved access should exist. In Studio, the video ad control setting can prevent unlinked Google Ads accounts from using channel videos as ads.
Then check the earnings side. Google’s YouTube partner earnings overview says monetizing creators get paid through AdSense for YouTube, finalized earnings appear there, and the primary method of payment for YouTube earnings is AdSense for YouTube. If the linked AdSense or payment path is unfamiliar, treat it as a Google-account issue and secure Google again.
- Review linked Google Ads accounts and unlink anything you do not recognize.
- Check whether video ad control is enabled for the channel.
- Verify the AdSense for YouTube association in the Earn flow.
- Confirm the payment destination and account owner are still yours.
For the channel-to-ads side, see link YouTube channels or videos and Google Ads accounts. For the earnings side, Google’s YouTube partner earnings overview explains how monetization and AdSense for YouTube fit together.
When the same problem returns
If the channel changes again after you clean it, the persistence path is still open. Stop relinking accounts or adding collaborators until you can explain where the compromise is coming from. Re-check the Google Account, the Studio permissions list, the browser or device used for recovery, and any linked Google Ads or AdSense access. A repeated change is not a fresh incident, it is the same one escaping containment.
At that point the safest move is to remove every non-essential collaborator, rebuild trust from a clean session, and add roles back one at a time. That gives you a smaller blast radius if a role or device was the real problem.
Prevent repeat hijacks
Repeat compromise usually means the same recovery path is still open. Close the browser extension, the shared password, the untrusted manager role, and the recovery inbox at the same time.
Use a separate browser profile or a dedicated device for creator work, keep recovery channels current, and limit the apps that can touch your Google session. If you have collaborators, grant channel permissions instead of reusing passwords. That gives you a path to remove access without exposing the account again.
Once the Google Account is stable, the unknown channel access is gone, and monetization is verified, YouTube becomes manageable again. The problem stops being a live incident and becomes routine account hygiene.