BBC News app hijacked? Bogus breaking news alerts posted

Check the update at the end of this article to discover what really happened.

The popular BBC News smartphone app appears to have been hijacked, or at least its “Breaking News” feature, by mischief-makers who are popping up messages on users’ devices.

BBC News app

NYPD Twitter campaign ‘backfires’ after hashtag hijacked. Push sucks! Pull blows! BREAKING NEWS No nudity in latest episode of Game of Thrones!!! MORE BREAKING NEWS IIIIIII like testing

Sign up to our free newsletter.
Security news, advice, and tips.

This is a breaking news story and the BBC News app will bring you updates as they are available

Chances are that the app itself has not been hacked, but it’s possible pranksters have managed to exploit the way in which the BBC feeds in breaking news alerts to push them out to the app’s userbase. Nevertheless, it’s embarrassing and it’s easy to imagine how such a flaw could be exploited to scare into making bad decisions.

BBC / Game of ThronesAnother real possibility is that someone inside the BBC was testing the system and, umm, didn’t realise their message would be seen by the outside world.

I guess we should be grateful that (so far at least) the messages seem to be more designed to amuse. As if there would ever be an episode of Game of Thrones without some gratuitous nudity…

Update: The BBC has confirmed that the messages were sent in error.

Here is their latest “breaking news” alert:

BBC apologises

We apologise for previous two test push notifications from BBC News which were sent in error

One lesson to learn is that if you are testing systems to always use innocuous “TEST” messages rather than ones which could be misinterpreted, or lead to observers (including me!) thinking you might have been hacked.

It’s good to know that the app hasn’t been compromised, and this is just the BBC goofing up in a fairly harmless way. Hopefully they will be more careful next time.

And yes, I am losing that game of chess…


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

3 comments on “BBC News app hijacked? Bogus breaking news alerts posted”

  1. Mike

    Already confirmed to have been sent by mistake…why would you report its been hijacked?? Its not like the message was something bad and pointed to a hijack.

    1. Graham CluleyGraham Cluley · in reply to Mike

      Thanks Mike, I was updating the article in pretty much real-time as some folks were freaking out about the BBC alert.

      My initial post was six minutes before the BBC confirmed what was really going on.

  2. Coyote

    Summary below this block of text…
    I'll refute (sort of) your suggestion TEST. Instead of doing that they can do better. Especially easy seeing as how ISPs love making customers pay for static IPs so that they can conserve their allocated IPs so that we can make IPv6 even slower (because around, what, 20 years, is too short!). But even then the fact there are private IP blocks (even before ISPs started handing out dynamic IPs) for private use means this option is possible. And realistically you can do the same with IPv6. In fact, I do it with both IPv4 and IPv6 (seeing as how IPv6 is so large it isn't exactly hard to slice off subnet for "private" use… and with proper firewalling/etc it is more or less private anyway). The idea is this: you make use of DNS servers (let's give the example of BIND) functionality of 'views' (as BIND calls it). Essentially an acl (access control list for those who don't know) which states: if source IP is from this block (let's say 10.0.0.0/8) then resolve to THIS set of IPs. If not resolve to THOSE IPs. And more generally, you can not only (In private namespace) have your own TLD (top level domain for those who don't know). So rather than test things on a public network why not test it on a private network? I have for example two versions of one of my websites (or more specifically a test alias for a virtual host in web server config).

    Summary for those who need/want it :
    Of course this might not always apply but there is ALWAYS a way to have a staging setup for this type of thing. Basically you have a test environment so that you CAN see how it looks or test whatever you need but only you and those you want to, will see it, no one else.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.