In a detailed and very serious post on github.io, the Onion’s tech team describes how the “Syrian Electronic Army” hacked into several of their social media accounts as well as Google Apps. The methods used were quite clever and involved a sort of multi-tired approach to gaining access to more and more of the Onion’s accounts:
Once the attackers had access to one Onion employee’s account, they used that account to send the same email to more Onion staff at about 2:30 AM on Monday, May 6. Coming from a trusted address, many staff members clicked the link, but most refrained from entering their login credentials. Two staff members did enter their credentials, one of whom had access to all of our social media accounts.
To describe this sort of activity as “hacking” isn’t exactly accurate and it does a disservice to the public who should be educated on this sort of phishing scam and how to avoid it.
This is why it’s so important that along with implementing technical solutions to keeping websites and other services secure, we educate clients and internal staff on best practices for handling passwords. As this case study shows, dozens of hours of security hardening and testing can be undermined by a single email and a poorly informed user.