NY Post is hacked by the Syrian Electronic Army on Twitter and Facebook

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

New York PostThe New York Post is the latest casualty of the notorious Syrian Electronic Army’s hacking war against media organisations around the world.

Hackers broke into the Facebook and Twitter account of the NY Post and a number of Twitter accounts belonging to its journalists, posting messages saying “The Syrian Electronic Army Was Here”.

Amongst the victims was Mike Puma, who covers the NY Mets baseball team for the newspaper.

New York Post staffer's Twitter account

Meanwhile, the pro-Assad Syrian Electronic Army posted a screenshot of what appears to be the administration panel for the New York Post’s SocialFlow account, used to manage social media activities.

NY Post's hacked SocialFlow account

Of course, if a hacker has control of your SocialFlow admin panel they can pretty much do what they like with your Facebook and Twitter account until you can get them evicted.

Sign up to our free newsletter.
Security news, advice, and tips.

At about the same time as the New York Post hack was occurring, SocialFlow itself was suffering from security problems at the hands of the Syrian Electronic Army. Their website was defaced with the hacking group’s logo, and tweets published from SocialFlow’s Twitter account make clear that all was not normal for the social media company:

SocialFlow hacked

Later, both the New York Post and SocialFlow wrestled control of their accounts back from the hackers.

Although the newspaper has not seemingly officially acknowledged that the hack occurred, their social media partners were man enough to admit that one of their staff had their email account breached by hackers who had tricked them into handing over passwords in a phishing attack.

SocialFlow admits hack

In the past, the Syrian Electronic Army has hacked into the Twitter accounts of a wide variety of media organisations including the BBC, ITV, The Telegraph, The Financial Times, The Guardian and Thomson Reuters.

The problem has become so big that back in April, Twitter’s security team warned potential targets about the hacking threat.

Chances are that the NY Post and SocialFlow fell victim to the Syrian Electronic Army via the group’s normal method of attack – emailing staff at one media organisation with a forged “sent” address in the email header, linking to what claims to be a breaking news story that the recipient should check out. Clicking on the link then takes users to a phishing site where passwords are stolen.

The lesson is simple – be very careful about links you click on in unsolicited messages, and always think twice about where you are entering your passwords.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “NY Post is hacked by the Syrian Electronic Army on Twitter and Facebook”

  1. CyberCop

    User awareness user awareness user awareness!!!!!!!!!!!!!!!!!!!!!!!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.