I removed the attacker from Studio Permissions. Is the channel safe now?

Only if you also changed your password, removed any unrecognised recovery contacts, and checked for connected third-party apps. A Manager seat in Studio is one door — the Google Account itself is the foundation. If the attacker changed your recovery email before you did, they may still be able to get back in.

The attacker was listed as an Owner, not just a Manager. What does that mean?

If the channel is on a Brand Account, Ownership is managed at myaccount.google.com/brandaccounts — not in YouTube Studio. Remove the attacker there. Brand Account ownership gives far broader control than a Studio Manager seat, including the ability to delete the channel. Act on this first.

Do I need to do anything about my AdSense account?

If your channel is monetised, check your AdSense account separately. Monetisation and payments are not managed through Studio Permissions, and an attacker with Google Account access may have been able to see or change payment details. Review your AdSense account at the Google AdSense dashboard and contact AdSense support if you see changes you didn't make.

How do I know if pending invites were sent out by the attacker?

In YouTube Studio, go to Settings → Permissions and look for any pending invites — shown as email addresses that haven't accepted yet. Cancel any you don't recognise. Pending invites expire after about 30 days, but cancelling them immediately is safer.

Recovery

How to secure YouTube permissions after a hack

Once you're back inside your Google Account, here's how to strip out every permission the attacker touched and close the doors they came through.

Getting back into your Google Account is step one — but an attacker who had access may have added themselves as a Manager or Editor in YouTube Studio, connected a third-party app, or changed your recovery contact. This page covers the specific permission clean-up that follows a successful account recovery.

If your situation is actually …

You haven't recovered the Google Account yet → Recover a Hacked YouTube Channel →
You're locked out because 2FA was also changed → Recover Without 2FA Access →

Secure permissions after regaining access

Stage 1 · Stabilize

Lock down the Google Account immediately

Change your Google Account password to something new and unique.
Any active attacker session ends when the password changes.
Where: myaccount.google.com/security
Sign out all other devices from your Google Account security page.
Forces every active session — including the attacker's — to re-authenticate.
Where: myaccount.google.com/security → Your devices
Check that your recovery email and recovery phone belong to you. Remove any you don't recognise.
Where: myaccount.google.com/security → How you sign in

Stage 2 · Diagnose

Find what was changed

Review recent security activity to see when and from where accounts changes were made.
Where: myaccount.google.com/security → Recent security activity
Open YouTube Studio Permissions and look for any Manager or Editor you did not add.
Attackers often add themselves as Manager for persistent access even if you change the password.
Where: studio.youtube.com → Settings → Permissions
Check connected third-party apps for anything you do not recognise.
Where: myaccount.google.com/permissions

Stage 3 · Reclaim

Remove attacker access from YouTube

Remove every unrecognised Manager and Editor from YouTube Studio Permissions.
A Manager seat persists independently of the Google Account password — you must revoke it explicitly.
Where: studio.youtube.com → Settings → Permissions → three-dot menu → Remove
Revoke access for any connected app you don't recognise or no longer use.
Where: myaccount.google.com/permissions
If the channel is on a Brand Account, check the Brand Account owners list and remove any you did not add.
Brand Account ownership is separate from Studio roles — an attacker who reached this level has deeper access.
Where: myaccount.google.com/brandaccounts → select channel → Manage permissions

Stage 4 · Harden

Close the doors that let this happen

Enable 2-Step Verification with an authenticator app or a physical security key.
SMS-based 2FA can be intercepted. An authenticator app or security key stops most takeover methods.
Where: myaccount.google.com/security → 2-Step Verification
Add a backup owner to your Brand Account so a future account compromise doesn't orphan the channel.
If the owning Google Account is ever lost again and no other owner exists, even Managers cannot reclaim the channel.
Save your Google Account backup codes somewhere offline and separate from your devices.
Where: myaccount.google.com/security → 2-Step Verification → Backup codes

If this flow does not restore access: Contact YouTube support for access problems →

Common questions after a hack

Not directly — a Manager can invite and remove other users, but they cannot remove the primary owner of the Brand Account. However, if the attacker reached your Google Account and changed the recovery contacts, they can prevent you from getting back in at the account level, which effectively locks you out of everything. That's why securing the Google Account comes first.

Why this happened

Most hacks succeed because there's no record of who had access to what

When roles, connected apps, and Brand Account owners aren't tracked anywhere, it's impossible to know what's legitimate until something goes wrong. Delvia helps you keep a clear record of access so clean-up is faster and future risks are visible before they become incidents.

Delvia is free on iPhone and Android. Keep a clear record of who has access to your accounts — and what to do when that changes — wherever you are.

Download on theApp Store GET IT ONGoogle Play