CNN & Microsoft Breached: No 2FA in Sight
Microsoft and CNN were breached by the same group, the Syrian Electronic Army (SEA) earlier this month; both incidents could be attributed to social engineering and stolen user credentials.
Microsoft’s official blog was hacked just hours after their redesigned and new content management system were made live; several social media accounts were hijacked as well. Screenshots of the backend show the blog is now running on WordPress. Microsoft’s Twitter accounts sent out tweets accusing Microsoft of monitoring and selling email data to the government, perhaps a result of Snowden's reports.
Several of CNN’s social media accounts, including Facebook and Twitter accounts for CNN Politic and CNN Security Clearance, were hacked last week by the SEA that sent out a number of political messages regarding Syria. Several of CNN’s blogs were also hacked. According to a screenshot from SEA’s Twitter account, they were able to compromise CNN’s HootSuite account:
According to PCWorld.com, Microsoft was hacked via means of social engineering - more specifically, a classic phishing attack that gave them access to several Microsoft employee email accounts.
Similarly, CNN’s Hootsuite account was also accessed via phishing attacks. Mashable reports that the SEA sent a wave of phishing emails to CNN employees that appeared to come from real CNN email addresses, and six of them submitted their login info, giving them instant access to multiple social media accounts.
The phishing email included malicious links to fake versions of an Office 365 login page, asking users to update their Office 365 passwords, as can be seen below:
Source: Office 365
How can you avoid a similar fate? Enable two-factor authentication for your HootSuite account. As Mark Stanislav wrote in HootSuite and Buffer: Social Media Giants Enable Two-Factor,
[Hootsuite] currently let users perform two-factor authentication through the usage of time-base one time passwords (TOTP) which is an open-standard that many other online services (such as Facebook and Amazon Web Services) leverage.
If a HootSuite user views their Settings page, they will note that under Account->Security the ability to enable what HootSuite calls “2-Step Verification”.
Twitter also allows you to set up two-factor authentication, a key security move that may have stopped SEA from easily accessing the media and tech company’s social media and blog accounts. Attackers can’t log into your account without a device tied to a user account. And, depending on the solution, two-factor authentication can also be integrated to protect your Office 365 account.
According to eWeek.com, there were reports that CNN did not have two-factor authentication implemented at the time of the breach. But will they, now that they’ve been breached with a single set of user credentials that gave attackers access to several other accounts?
It seems silly to continue operating without deploying one of the most simple and yet effectively secure means of protecting user accounts, whether they’re with social media networks or third-party applications to protect media integrity.