Twitter hack sees New York Times warn of Russian missile strike against USA

New York Times Video, @nytvideo, distributes video content from – you guessed it – the New York Times to Twitter users.

In fact, approximately a quarter of a million people follow @nytvideo to get their video news fix.

One wonders then what they thought when the following message appeared on the account yesterday.

BREAKING:

leaked statement from Vladimir Putin says: Russia will attack the United States with missiles

Scary stuff. If it was true.

But what had actually happened was that the New York Times Video account had been hijacked by the Our Mine hacking group, a gang which has specialised in embarrassing high profile figures by breaking into their social media accounts. Past victims of the hackers have included Facebook founder Mark Zuckerberg.

The New York Times deleted the offending tweets and posted an apology to its followers.

This isn’t the first time the New York Times has fallen foul of hackers.

In 2009, for instance, the Twitter account of its “The Moment” fashion blog was compromised by spammers who used it to publicise a naked webcam site.

More seriously, in early 2013 it was revealed that Chinese hackers had infiltrated the newspaper’s network for months, compromised reporters’ computers, and and stole the passwords of every employee.

So, how was the @nytvideo account compromised?

Clearly it didn’t have the right protection in place.

Either it was careless with it password and fell foul of a phishing attack, or it made the mistake of reusing the same password on different sites. Often passwords of social media accounts have fallen into the wrong hands because a user was tricked into handing over their password to a phishing site, or a breach of another site results in carelessly reused passwords spilling into the laps of criminals.

Whatever the precise nature of how the hackers managed to get their hands on the keys to the account – it seems unlikely that @nytvideo had enabled Twitter’s two-step verification (2SV) facility.

Twitter calls its 2SV system “Login verifications”, and I strongly recommend that all users of the site enable the feature as it means that even if your password is compromised, it won’t be enough to allow hackers to hijack your account.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.