Cybersecurity executives blamed YouTube’s continued use of multifactor authentication and relying on user credentials instead of more advanced forms authentication as the reasons behind why millions of accounts were hijacked over the last few days.

The attackers used phishing attacks that convinced account owners to give up their Google account login credentials, used that information to enter the accounts and then re-assigned them to new owners, ZDNet reported. Next the malicious actors changed the channel’s vanity URL so the legitimate owners never realized their account was hijacked.

The attackers were also able to bypass the two-factor authentication required for each account, most likely by using a tool like Modlishka, said Rosemary O’Neill, Director of Customer Delivery, for NuData Security, a Mastercard company.

“Companies like YouTube need to have better tools to protect their users to reduce the chances of an attack. Two-factor authentication was not enough, as attackers reportedly used a tool like Modlishka to intercept SMS codes. In this case, the reliance on user credentials was the main authentication gap – whether a password, a security question or a one-time code. Those require static credentials that are deterministic; they are correct, or they are not – there is no grey area,” she said.

Bill Lummis, HackerOne’s technical program manager, noted there are more advanced methods available and should be implemented by Google.

“One-time Password (TOTP), which recycles numbers every 30-90 seconds on a physical device, or Universal 2nd Factor (U2F), such as Yubikey, given that attacks like this will only become easier to execute over time,” he said.

Ashlee Benge, threat researcher at ZeroFOX recommended using applications like Google Authenticator or Duo whenever possible to avoid SMS interception. If these are not available, a Google Voice number could also be used, she said.

The YouTube accounts hacked were primarily in the car tuning and car review areas, ZDNet said.

Google has not released a statement.