How The Onion was Hacked

written by Chris Griesemer

This month we will review a case study to learn how The Onion was hacked and review their security measures. In December we reviewed the Target data breach, and the November article was about How to Outsmart Hackers.

Click here to review these articles. Stay tuned for more security posts.

One of the frustrating things about companies being hacked is how difficult it is to find information about the incidents and how it happened. The fear of reputational risk is so great, most companies keep all information locked up. That was not the case with The Onion. The Onion is a satirical news website that was hacked by a group calling themselves the Syrian Electronic Army (SEA). To The Onion's credit, and to our benefit, they disclosed exactly what happened in an effort to help educate more companies on hacking techniques. The SEA began by sending phishing emails to multiple Onion employees. The phishing email contained a link to what looked like a Washington Post article.

The email requested the Onion employee read the article. Once the link was clicked, it took the user to a screen that asked them to login with their Gmail credentials. These emails were only sent to a few Onion employees so as to not look like a targeted attack. At least one Onion employee fell for this phase of the phishing attack. Now that SEA had access to one of The Onion employee’s account, they used the account to send the same phishing email to multiple Onion staff members. Since the email came from a trusted address, many of The Onion employee’s clicked on the link. Most of the employee’s didn’t enter their Gmail credentials but unfortunately, 2 employees did. And even more unfortunate, one of those Onion employees had access to all of The Onion’s social media accounts.

The Onion discovered at least one account had been compromised and sent out a company-wide email to change email passwords immediately. The SEA sent out a duplicate email which included a link to a phishing page disguised as a password-reset link. This duplicate email was not sent to techs or IT teams so it went undetected. It fooled 2 more employees. Finally, The Onion could not determine who’s account had been compromised so they forced a password reset on every employee. After the incident, The Onion examined the entire event and came up with some simple security measures for anyone to use:

  • Educate your users so they are suspicious of all links asking them to log in, regardless of the sender.
  • Don’t use your work email address for your corporate Twitter accounts.
  • Create strong, unique passwords for each account.
  • Manage your Twitter account activity with a program like HootSuite.
  • In the event of being hacked, have a way to reach out to all company employees outside of their organizational email.
  • Make certain the administrator for a company’s social media accounts uses different passwords for each account.

If you have any questions or concern, please don’t hesitate to contact Chris Griesemer at 417-881-0145 or his email address at cgriesemer at whitlockco.com.

Cybersecurity testing concept

View Similar Blogs

Other blogs about cybersecurity and your business

  • Two Businesswomen Consulting Financial Numbers

    Understanding Our Audit and Assurance Services

    When The Whitlock Co. performs audit and assurance services for your business, we deliver a thorough evaluation. This enhances trust and reliability in your financial reporting. The goal is to...
  • Mergers and Acquisitions Concept

    Optimize Your Merger and Acquisition With Our Transaction and M&A Advisory Services

    If your company is merging, expanding, planning a family business succession, or restructuring, consider hiring an accounting firm for transaction advisory services. The Whitlock Co. provides...
  • AI Robot Hand Concept with GRC

    The Rising Need for AI Risk Assessments in Banking

    Artificial intelligence (AI) is transforming banking, but it’s also opening new risk frontiers. Take Matthew Van Andel, a former Disney engineer who, in 2024, downloaded an AI tool from GitHub to...