Someone at CNN’s social media team clearly could do with a freshen-up on their computer security training.
Earlier today, the news organisations’ Twitter and Facebook account were compromised by hackers from the notorious Syrian Electronic Army (SEA) who also managed to deface a CNN blog.
CNN’s “Security Clearance” blog received an unauthorised update, which could have alarmed news junkies if they had taken it at face value:
BREAKING NEWS: US declares state of national emergency, State department reportedly out of reach
Press has received a telegram asking journalists to be ready to receive an emergency announcement, but all efforts to contact the state department has failed.
Meanwhile, CNN’s 11.6 million followers on Twitter were greeted with a series of fake tweets posted by the hackers.
CNN fell short of apologising to its social media followers for the incident, but did tweet an acknowledgement of the hack, as it restored its ownership of the accounts.
Although some may consider the message posted on CNN’s website to be nothing more than a mischievous prank by the hackers, lets not forget that last year the same group managed to hijack AP’s Twitter account, where they posted a message claiming that Barack Obama had been injured in an explosion at the White House.
The result? A sharp drop in the Dow Jones index.
Media companies, and other at-risk organisations, have been warned time and time again to train their staff into the typical methods used by the likes of the SEA to steal account passwords.
Typically the SEA has managed to infiltrate social media accounts by tricking staff at the targeted organisation to click on a link leading to a phishing site (sometimes they have sent forged emails claiming to be links to breaking news stories – sometimes coming from other news organisations).
They then attempt to re-use the stolen passwords on other social media accounts under the control of the victim, and to access email and intranet resources in their hunt for login credentials.
The result is often a well-known organisation with egg on its face, and hurried attempts to mop up the mess.
Use of two factor authentication, and reminding users to not use the same passwords in multiple places can help reduce the risk of your organisation being the next in the firing line.
It’s not as though CNN should be oblivious to the threat posed by the Syrian Electronic Army and other hackers. After all, back in August 2013, the SEA managed to redirect visitors to the CNN website after hacking the Outbrain content recommendation service.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.