No, the Met Police wasn’t hacked. But its Twitter account and website were hijacked

Hacker hijacks Met Police's Twitter account

Late on Friday night, some rather out-of-character tweets seemed to be coming out of New Scotland Yard.

The Twitter account of London’s Metropolitan Police (@metpoliceuk) broadcast to its more than one million followers a series of bizarre and sometimes offensive messages:

Met Police Satoshi tweet

Met Police tweets

What’s more, the tweets pointed to suspect content in the news release section of the official Met Police website:

Met police website

And emails were sent to people who had signed-up for notifications about news releases:

Met police email

All very juvenile stuff…

Thankfully, Met Police Superintendent Roy Smith took to Twitter to confirm that this wasn’t New Scotland Yard trying to be “down with the kids”, and the account was reasonably swiftly brought back under control.

My guess is that the nature of the links posted by whoever was behind the attack, and the content that some of them linked to (which appeared to doxx an individual) might well point the authorities in the direction of those who might be responsible.

Someone, however, hadn’t guessed the password to the Met Police’s Twitter account or hacked into its website.

Sign up to our free newsletter.
Security news, advice, and tips.

You see, as they later confirmed, the Met Police had been using a service called Mynewsdesk that is supposed to make it simple to create a piece of content (such as a press release), and then automatically update your website and social media outlets, and send an email notification to mailing list subscribers.

It was Mynewsdesk that updated the Met Police’s Twitter account, and posted the bizarre messages on the Met Police’s website. The Met Police’s own systems had not been hacked.

And the Met Police’s news section is only really the Met Police’s website in name. It’s actually hosted on Mynewsdesk infrastructure:

Met police dns record

So someone, somehow, managed to hijack control of the Met Police’s Mynewsdesk account. And that’s why the tweets got posted, and that’s why the emails were sent, and that’s why the Met Police’s website was updated.

Whether the Mynewsdesk account was compromised because of a common reason like password reuse or the phishing of credentials feels most likely but it’s also possible that there was a vulnerability in Mynewsdesk which allowed a hacker to gain access.

I can certainly sympathise with the Met Police if the problem was entirely at Mynewsdesk’s end. Two years ago my personal Twitter account began to post some pretty bizarre messages after a third party app I had linked was compromised by a hacker.

Whenever you give a third-party service permission to access your Twitter account, website, or mailing list you are placing trust in their ability to act responsibly with that power, and only allow authorised users to use it.

For more discussion on this topic be sure to listen to this episode of the “Smashing Security” podcast:

Smashing Security #138: 'Logic bombs, brain data exploitation, and Digga D tweets'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.