A man who told a federal judge his only real work experience came at age 16 in a grocery store pleaded guilty Thursday in connection with a sophisticated computer-hacking case in which he and others took over YouTube channels that weren’t theirs to collect tens of thousands of dollars in ad revenue — at one point even writing software that would scan the online video site for popular channels that were not being monetized with ads.
Matthew A. Buchanan, 28, admitted that he and others made nearly $56,000 by hacking into Google accounts and taking over YouTube channels, then simply opening up the channels to advertisements. He pleaded guilty to a charge of unauthorized access of a protected computer, admitting that he also at one point accessed the AOL CEO’s e-mail account as part of a “hobby of mine to look for security issues on the Internet.”
The ingenuity of Buchanan’s computer exploits is somewhat startling, given his modest formal education and almost complete lack of professional experience. Buchanan, who said he lives in Germantown and holds only an associate’s degree in general studies from Montgomery College, told a federal judge in Alexandria that he was once a student at Walt Whitman High School in Bethesda but ultimately earned only a GED. He said he had not worked in the past three years, and the only job he could ever recall having was at a grocery store when he was 16.
Buchanan, though, apparently had some computer skills. According to his plea, he and another man — who court records show is scheduled to plead in the case next week — exploited Google’s password-reset process to get into unwitting users’ accounts, which they then used to take over those users’ YouTube channels.
The process was not always simple. According to the plea and other court records, Buchanan and the other man, John T. Hoang Jr., used a flaw in the password-reset procedure to learn the e-mail addresses of various Google users, then either guessed their security questions or used password-cracking software to get into their accounts. In some cases, Buchanan took advantage of Google users’ entering what they thought were defunct secondary e-mail addresses — such as email@example.com — by controlling those e-mail addresses and having temporary passwords sent there, according to the plea
The aim was not to incite simple cyber mayhem. According to the plea, Hoang wrote computer software that identified more than 200,000 Google account names associated with popular YouTube video channels that users had not monetized by setting up ads. Buchanan and Hoang took over the accounts, set the channels to allow advertisements and raked in cash every time someone watched a video.
In total, according to the plea, the pair and others made almost $56,000 from others’ accounts. The scheme ran from roughly June 2012 through September 2013, according to the plea.
According to the plea, Buchanan and Hoang seemed to marvel at the scheme, which Buchanan called “treasure huntin’ ” in online chats. In one chat in November 2012, Hoang wrote, “like had we not started his project i’d of probably had to get a job,” according to the plea. In another, Buchanan wrote, “if i don’t go to jail this will be a good night for us :),” according to the plea.
Buchanan also admitted as part of his plea that in July 2013, he exploited a vulnerability to access the e-mail accounts of AOL employees, including that of the CEO. He faces a possible five years in prison at his March 28 sentencing.
Buchanan and his attorney declined to comment after the hearing.
Correction: An earlier version of this article incorrectly attributed a quote in an online chat to Buchanan. The statement was written by Hoang.