Twitter hack sees New York Times warn of Russian missile strike against USA

A genuine example of fake news.

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

Twitter hack sees New York Times warn of Russian missile strike against USA

New York Times Video, @nytvideo, distributes video content from – you guessed it – the New York Times to Twitter users.

In fact, approximately a quarter of a million people follow @nytvideo to get their video news fix.

One wonders then what they thought when the following message appeared on the account yesterday.

Sign up to our free newsletter.
Security news, advice, and tips.

Bogus tweet

BREAKING:

leaked statement from Vladimir Putin says: Russia will attack the United States with missiles

Scary stuff. If it was true.

But what had actually happened was that the New York Times Video account had been hijacked by the Our Mine hacking group, a gang which has specialised in embarrassing high profile figures by breaking into their social media accounts. Past victims of the hackers have included Facebook founder Mark Zuckerberg.

The New York Times deleted the offending tweets and posted an apology to its followers.

New York Times apology

This isn’t the first time the New York Times has fallen foul of hackers.

In 2009, for instance, the Twitter account of its “The Moment” fashion blog was compromised by spammers who used it to publicise a naked webcam site.

More seriously, in early 2013 it was revealed that Chinese hackers had infiltrated the newspaper’s network for months, compromised reporters’ computers, and and stole the passwords of every employee.

So, how was the @nytvideo account compromised?

Clearly it didn’t have the right protection in place.

Either it was careless with it password and fell foul of a phishing attack, or it made the mistake of reusing the same password on different sites. Often passwords of social media accounts have fallen into the wrong hands because a user was tricked into handing over their password to a phishing site, or a breach of another site results in carelessly reused passwords spilling into the laps of criminals.

Whatever the precise nature of how the hackers managed to get their hands on the keys to the account – it seems unlikely that @nytvideo had enabled Twitter’s two-step verification (2SV) facility.

Twitter calls its 2SV system “Login verifications”, and I strongly recommend that all users of the site enable the feature as it means that even if your password is compromised, it won’t be enough to allow hackers to hijack your account.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.