This weekend, visitors to news articles on the Reuters website found themselves redirected to a page belonging to the Syrian Electronic Army hacking group.
As I wrote at the time, rather than this being a straightforward hack of Reuters’ servers, suspicion pointed in the direction of the Taboola recommended content widget that Reuters had embedded on its site.
Sure enough, yesterday Taboola confirmed that it had been hacked.
Today, between 7AM – 8AM EDT, an organization called the “Syrian Electronic Army” hacked Taboola’s widget on Reuters.com.
The intruder was redirecting users that accessed article pages on reuters.com to a different landing page.
The breach was detected at approximately 7:25am, and fully-removed at 8am. There is no further suspicious activity across our network since, and the total duration of the event was 60 minutes.
While we use 2-step authentication, our initial investigation shows the attack was enabled through a phishing mechanism. We immediately changed all access passwords, and will continue to investigate this over the next 24 hours.
After all, Taboola claims to have high traffic sites such as TMZ, Time, The Weather Channel, BBC, and USA Today amongst its customers.
Taboola appears to have made no public statement about a screenshot posted by the Syrian Electronic Army, claiming to have gained access to the company’s PayPal account.
The above image is redacted a little more than the original one shared by the Syrian Electronic Army, primarily to obscure the identity and email address of the Taboola employee who appears to have had their account compromised.
If nothing else, this latest attack underlines three things:
Firstly, the importance for all employees to exercise great caution over the links they click on because of the danger that they might be entering their passwords on a phishing site.
Secondly, the need to follow best password practices (unique, hard-to-crack passwords for each website) and the enabling of two-factor authentication where available to make it harder for hackers to gain access to accounts.
Finally, websites need to think long and hard not only about the security of their own servers but whether the companies who are providing widgets and plugins that power the websites are taking security as seriously themselves.
After all, at the end of the day, the typical user is going to view the incident as Reuters being hacked – not Taboola.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.