How a Single Password Triggered the Business Insider Breach

When it comes to cyberattacks, publicity is a magnet. But what happens when news publications themselves become targets? One of the biggest names in business publication, Business Insider, came under siege this week. The attack was yet another launched by the infamous OurMine, the cybercriminal group behind recent attacks on both Buzzfeed and Variety. But this time, they had accidental help from a Business Insider employee.

This employee wasn’t disgruntled, however, just negligent in terms of security. They aided the crooks with a simple mistake – reusing the same password across multiple sites. Someone with publishing privileges at Business Insider was said to have used that same password across multiple sites. This was OurMine’s easy way in. By discovering the password from other sources, it was easy to copy-paste it for entry into Business Insider’s publishing platform.

Once inside, crooks edited stories and pushed out a malicious ad that was spread across both Web and mobile versions of the publication. In typical fashion, OurMine posted on Business Insider, “Hey, don’t worry we are just testing your security, we didn’t change your password or anything. Visit our website for more information.” Of course, they added a link that went to their own website. This was basically an illegal advertisement of their security services.

With a pretentious air, OurMine has previously stated their hacks are merely attempts to teach us all security lessons. However, such a back-handed effort draws attention to Business Insider’s vulnerabilities as well as teaches us this — don’t reuse passwords, and watch out for potentially malicious ads.

How can you keep secure in light of events like these? Here are some tips to keep in mind:

  1. Double check before clicking on unfamiliar ads. It’s possible to evaluate the security of any link, before clicking. Many browsers have built-in safeguards, but you can never be too safe when surfing the Web. Double up with security solutions like McAfee WebAdvisor, which can scan Web pages for malicious links.
  2. Use unique passwords for every account. While the most basic step to account security is avoiding weak passwords (think “password1234”), it’s also imperative to differentiate them across your accounts. Need help remembering all of your long, strong passwords? A password management solution could really come in handy.
  3. Don’t believe noble claims by cybercriminals. Many cyber crooks are really just wolves in sheep’s clothing. It’s common for them to use tactics like social engineering to trick victims into visiting a dangerous site. Should you ever encountering bold claims from tech-savvy strangers — whether on websites, in texts, emails, or other channels — you should always have a careful eye. Go ahead, be skeptical.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.


Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from Internet Security

Back to top