Sophos Cloud Optix
The Syrian Electronic Army has struck again – this time adding the scalp of the prestigious Financial Times to its collection of hijacked accounts belonging to well-known media organisations.
Hackers from the Syrian Electronic Army appear to have stolen the usernames and passwords of FT staff with access to the newspaper’s social media accounts, and posted unauthorised blog entries and tweets earlier today.
Here are some examples of the damage caused by the hackers:
Of course, the hacking of such a prestigious target doesn’t go unnoticed – and the FT’s security team scrambled into action, warning readers about the issue and deleting offending messages as they were found.
The Syrian Electronic Army isn’t above rubbing salt into the wounds, clearly finding it amusing to publish the email address and password of at least one FT staff member who seemingly (we won’t republish it here) chose a rather silly password.
In recent weeks Syrian Electronic Army hackers have successfully broken into online accounts belonging to the likes of The Guardian, the BBC, NPR, and CBS with apparent ease, prompting Twitter take the unusual step of reaching out to news and media organisations to warn them about the current attacks, and offer advice on defensive measures.
The problem is compounded by Twitter’s current system of insisting that every Twitter account only has one username/password connected with it.
This is unlike the way Facebook pages work where individual users can be assigned different rights for managing and administering their firm’s online presence. Combined with two factor authentication (known as Login Approvals on Facebook) this provides a higher level of security, and greater granularity about what users can do.
Twitter’s approach inevitably leads to media agencies, who are pressured to tweet breaking stories around the clock, to share Twitter passwords with many staff worldwide – and hold their breath that none of them get hacked or have their credentials phished.
It would be great if Twitter could introduce two factor authentication. It would be great if Twitter could introduce a way for firms to give different staffers separate logins for the same account.
And it would be great if media companies could train their staff to be suspicious of unsolicited emails, be wary of clicking on unknown links, and of unwittingly handing their passwords over to criminals.
The blame for the hackers’ success, after all, shouldn’t entirely fall on Twitter’s doorstep. Ultimately it was a human, working for the media organisation, who made a mistake and was tricked into giving the keys to the castle to a bunch of hackers.