Dear Boing Boing readers —
Around 11:30 EST on January 10th, An unknown party logged into Boing Boing’s CMS using the credentials of a member of the Boing Boing team.
They proceeded to install a widget into our theme that allowed them to redirect users to a malware page hosted at a third party.
Because of the nature of programmatic advertising, we first assumed this was a malicious adscript, and asked initial reporters to report this activity via our Ad Partner’s “bad ad” reporting page.
While in this case, the malicious code did not originate from an ad, it *did* allow our ad partner to eventually notify us of the specifics of the attack. Once this was confirmed, we removed the offending code immediately from our servers and our CDN partners.
The BB team then proceeded to change passwords, access tokens, confirm access rights, and perform log analysis of the behavior of the user. As stated in our privacy policy, we only keep 72 hours worth of logs, but this was sufficient to track down the malicious activity and user account in question and react accordingly. We also took steps to modify our CMS to ensure a separate audit log (outside our 72-hour access logs) will be maintained in the future to help us track down administrative actions within our publishing software in the event of future breaches, so we are able to take action and determine the scope of a breach more thoroughly in the future.
From a systems security perspective, this is an excellent cautionary tale of the importance of individual user security. Even two-factor authentication and password hygiene can be compromised on the user’s end, and just because a particular issue (in this case, malware) had been detected via third parties in the past, it always pays to consider all possible first-party infection vectors, as well.
If you read Boing Boing this past weekend, please run your local anti-virus and malware scanners.
Thank you.