New York Post was hacked from the inside, employee fired after offensive articles posted online

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

New York Post was hacked from the inside, employee fired after offensive articles posted online

The New York Post made headlines today when it published a series of incendiary and offensive articles online.

Depending on your political viewpoint, you may well say “What’s new?”.

But on this occasion the Murdoch-owned tabloid’s website was particularly unpleasant – calling for the assassination of political figures like Joe Biden and Alexandria Ocasio-Cortez, and spreading racial slurs.

Nypost aoc article

And, of course, in a blink of an eye the offending stories were being promoted by the newspaper’s Twitter account.

Nypost abbott tweet

Please note – I’m choosing not to republish some of the most vile things which were posted under the NY Post‘s banner.

A Post spokesperson said it was investigating the cause of the incident, and had “taken down the vile and reprehensible content posted by the hackers.”

Sign up to our free newsletter.
Security news, advice, and tips.

So, what had happened? Had the New York Post gone barmy? Had they been hacked?

It transpires that the newspaper had not fallen victim to external hackers as had first been suspected, but instead a rogue employee who had access to the website’s content management system (CMS) was responsible.

“The New York Post’s investigation indicates that the unauthorized conduct was committed by an employee, and the employee has been terminated.”

It’s unclear from what has been shared so far whether the rogue employee had legitimate access to the nypost.com website’s backend, which runs on the WordPress VIP platform, or if they exploited someone else’s login credentials.

Once again, a company has been very publicly exploited by a malicious member of their own staff. Never underestimate the risks your business can face from a rogue insider. Hackers have to break their way into your organisation, your employees have already been granted access to your internal systems and data.

Readers with long memories may recall that in 2013, the Facebook and Twitter accounts of the New York Post were hijacked by the Syrian Electronic Army.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.