The Syrian Electronic Army Strikes Again: Over 1 Million Emails, Passwords Exposed

February 19, 2014
| |
2 min read

The latest media outlet targeted by the Syrian Electronic Army (SEA) is Forbes.com. The hacktivist group was able to breach a database containing email address and password combinations for over a million users’ accounts, including Forbes contributors. Although the passwords were one-way encrypted, the media outlet recommended users change their passwords. To prove that it carried out the attack and breached the database, the SEA defaced three online articles.

Syrian Electronic Army Attacks

It seems that cyber criminals are increasingly targeting users’ login credentials, which provide them access to various systems. Only two weeks ago, IBM learned that Yahoo’s email system was breached using credentials stolen from a third party. In a recent blog, the company explained how third-party database breaches can lead hackers to a user’s data.

With login credentials for a user’s account, it is possible to access information stored within the account. It is not known what type of information Forbes.com stored about its users, though concerns presumably relate to the exposure of personal and financial data. Credentials to contributors’ accounts may actually provide access to systems used by the media outlet to publish news, effectively allowing attackers to post fake news alerts. Last year, the Syrian Electronic Army took credit for hacking the Twitter account of the Associated Press (AP) and posting a fake news alert about a targeted attack on the White House and President Obama. The news alert was quickly denied, but not before the Dow Jones stock exchange fell by 1 percent and wiped $200 billion dollars from the entire market (stocks bounced back later in the day).

An additional concern is that many users tend to reuse passwords across multiple systems. After all, it’s hard to remember so many passwords. If they are extracted from the Forbes.com database, which enables access to the email accounts they are paired with, attackers can access these users’ email accounts. Searching through emails in any one account can expose a wealth of personal data. A breached user account can be used for developing spear-phishing messages and drive-by download attacks. The fact that the email comes from a trusted source — someone the user regularly exchanges emails with — increases the chances that recipients of a phishing email will fall for the scam. Forbes specifically warns users to look out for phishing attacks seemingly coming from Forbes.com.

If individuals are reusing their credentials or maintaining the same password, the exposed information may also provide access to other websites and Web services, including corporate systems. Although access to online consumer applications and services facilitates fraudulent activities, access to corporate systems can enable a full enterprise breach. There is no doubt that users who used their Forbes.com email address and password combination to log in to various other websites are at risk.

Dana Tamir
Director of Enterprise Security at Trusteer, an IBM Company

Dana Tamir is Director of Enterprise Security at Trusteer, an IBM Company. In her role she leads activities related to enterprise advanced threat protection ...
read more