Hackers broke into The Washington Post’s servers earlier this week and gained access to employee usernames and passwords. The employee passwords were stored in encrypted form, so it’s unclear whether they were exposed. However, the hackers may have tools to decode this information. According to Washington Post officials, there is no evidence that subscriber information, customer credit cards, or home addresses were accessed. At this point, there are no signs that the hackers had gained access to The Post’s publishing system, e-mails systems, or employee computers.
A Major Media Outlet Breached (Again), Employee Credentials Compromised
Compromised credentials are often used for initiating attacks on targeted organizations. Stolen login credentials enable the attacker to gain the initial access into the network or system. In a recent blog, we discussed the methods hackers typically use to steal user credentials. The blog also includes an informative infographic on the topic. Because credentials are often easy to get a hold of and to use, so they are very popular among cyber-criminals.
This isn’t the first time The Post has been breached and user credentials have been exposed. In fact, this breach is the third that they’ve disclosed in three years.
In 2011, the news organization announced that its network was infiltrated. The hackers targeted the main IT server and several other computers. The hackers gained initial access as early as 2008 or 2009, but the malware was disabled only in 2011. The malware was communicating with a known Command and Control server, associated with a Chinese hacking group. At the time, some Post journalists expressed concerns that the hackers may have had access to their emails or sensitive documents kept on their computers.
According to Krebsonsecurity, a former employee came forward with information suggesting that a Chinese hacker group had broadly compromised computer systems within The Post’s newsroom and other operations throughout 2012. According to the blog: “Attackers compromised at least three servers and a multitude of desktops, installing malicious software that allowed the perpetrators to maintain access to the machines and the network.” The blog also mentions that The Post used Symantec’s antivirus and security software to protect systems from malicious software, but that detection clearly failed.
In addition, in August 2013, the Syrian Electronic Army briefly succeeded in redirecting readers of articles on washingtonpost.com to its own website. They were also suspected in a “phishing” attack aimed log-in information of the e-mail accounts of Post journalists.
The breaches into The Post and exposure of user credentials is not a unique incident. We wrote about the series of attacks targeting media organizations in a blog titled Spear-Phishing, News and Twitter Accounts: Why Corporate Credentials Must Be Protected.
These breaches highlight the fact that corporate credentials are valuable and therefore a top target for cybercriminals. Organizations must implement controls to secure corporate credentials from malware, phishing attacks and exposure through 3rd party hacks.