Last week the satirical online magazine The Onion was hacked. This wouldn’t be that big of news–companies get hacked all the time–but what’s noteworthy in this story is the way The Onion responded to the attack: they published an explanation of exactly what happened so others could learn from what went wrong.
phish·ing noun \ˈfi-shiŋ\
:a scam by which an e-mail user is duped into revealing personal or confidential information which the scammer can use illicitly
With so much sensitive information collected in email, it’s a target of choice for hackers. The method used in this case was a common one in which a seemingly innocent message with a hyperlink is sent to company email addresses, which if clicked on redirects to another page asking users to reset their passwords. Once they have “phished” login credentials from an employee, a hacker can then search for login information for other accounts.
For the full details check out The Onion’s blog post: How the Syrian Electronic Army Hacked The Onion.
More importantly, consider implementing their suggested security measures:
- Make sure that your users are educated, and that they are suspicious of all links that ask them to log in, regardless of the sender.
- The email addresses for your twitter accounts should be on a system that is isolated from your organization’s normal email. This will make your Twitter accounts virtually invulnerable to phishing (providing that you’re using unique, strong passwords for every account).
- All twitter activity should go through an app of some kind, such as HootSuite. Restricting password-based access to your accounts prevents a hacker from taking total ownership, which takes much longer to rectify.
- If possible, have a way to reach out to all of your users outside of their organizational email. In the case of the Guardian hack, the SEA posted screenshots of multiple internal security emails, probably from a compromised email address that was overlooked.