How The Onion was Hacked

written by Chris Griesemer

This month we will review a case study to learn how The Onion was hacked and review their security measures. In December we reviewed the Target data breach, and the November article was about How to Outsmart Hackers.

Click here to review these articles. Stay tuned for more security posts.

One of the frustrating things about companies being hacked is how difficult it is to find information about the incidents and how it happened. The fear of reputational risk is so great, most companies keep all information locked up. That was not the case with The Onion. The Onion is a satirical news website that was hacked by a group calling themselves the Syrian Electronic Army (SEA). To The Onion's credit, and to our benefit, they disclosed exactly what happened in an effort to help educate more companies on hacking techniques. The SEA began by sending phishing emails to multiple Onion employees. The phishing email contained a link to what looked like a Washington Post article.

The email requested the Onion employee read the article. Once the link was clicked, it took the user to a screen that asked them to login with their Gmail credentials. These emails were only sent to a few Onion employees so as to not look like a targeted attack. At least one Onion employee fell for this phase of the phishing attack. Now that SEA had access to one of The Onion employee’s account, they used the account to send the same phishing email to multiple Onion staff members. Since the email came from a trusted address, many of The Onion employee’s clicked on the link. Most of the employee’s didn’t enter their Gmail credentials but unfortunately, 2 employees did. And even more unfortunate, one of those Onion employees had access to all of The Onion’s social media accounts.

The Onion discovered at least one account had been compromised and sent out a company-wide email to change email passwords immediately. The SEA sent out a duplicate email which included a link to a phishing page disguised as a password-reset link. This duplicate email was not sent to techs or IT teams so it went undetected. It fooled 2 more employees. Finally, The Onion could not determine who’s account had been compromised so they forced a password reset on every employee. After the incident, The Onion examined the entire event and came up with some simple security measures for anyone to use:

• Educate your users so they are suspicious of all links asking them to log in, regardless of the sender.
• Don’t use your work email address for your corporate Twitter accounts.
• Create strong, unique passwords for each account.
• Manage your Twitter account activity with a program like HootSuite.
• In the event of being hacked, have a way to reach out to all company employees outside of their organizational email.
• Make certain the administrator for a company’s social media accounts uses different passwords for each account.

If you have any questions or concern, please don’t hesitate to contact Chris Griesemer at 417-881-0145 or his email address at cgriesemer at whitlockco.com.