:format(webp)/cdn.vox-cdn.com/uploads/chorus_image/image/63703457/hacked_screen.0.1537497932.0.jpg)
Business news site Forbes.com was still recovering today from the after-effects of an attack by hackers that exposed the email addresses of more than a million of its users and forced it to take its blogging platform down.
Lewis DVorkin, chief product officer and the brains behind Forbes’ all-important network of editorial contributors, gave the fullest account yet of the nature of the attack in a post on the site today.
Describing what he called a “difficult 48 hours,” including a discussion with the FBI that was “sobering, at times a bit scary,” DVorkin confirmed that the attack against Forbes fit the usual profile of those carried out by the Syrian Electronic Army, a hacker group that supports the regime of President Bashar al-Assad and that claimed responsibility for the attack.
The initial stages of the attack, he said, were carried out via a technique known as spear phishing, in which a benign-appearing document is sent to a company employee from an address that appears to be that of a co-worker. “A hacker, perhaps more than one, gained access to our publishing platform through spear phishing — a series of emails to our staffers that came from a news source that was previously targeted by the SEA. Unwittingly, passwords were provided that compromised the backend of our publishing system, which supports Forbes editors and reporters, 1,200 contributors and our BrandVoice partners,” DVorkin wrote.
He also essentially confirmed that a list of email addresses and passwords contained in a database that was pilfered from Forbes’ systems and published by the SEA was legit. He said that people whose addresses were compromised have been notified.
DVorkin wrote that while the attacks were still under way, the company received emails purporting to be from the attackers, claiming they would stop if certain fees were paid. The SEA denied that claim in a series of tweets.
@Forbes claimed in an article posted by them that we emailed them requesting “fees” at Friday, but then the database was already published.
— SyrianElectronicArmy (@Official_SEA16) February 18, 2014
Dear @Forbes,making a fake story we (requesting “fees”) after we posted a joke about selling the data is not the good way to defend yourself
— SyrianElectronicArmy (@Official_SEA16) February 18, 2014
Also on its Twitter feed, the SEA promised at least one more revelation from the attack.
The Forbes story is not over yet! There is one last thing but we’ll show you later with other stuff. #SEA
— SyrianElectronicArmy (@Official_SEA16) February 18, 2014
I reached out to DVorkin for an interview, hoping to get a little more clarity on the blackmail allegation he leveled at the SEA, but was told by a company spokeswoman that “his post speaks for itself.”
The file, which the SEA published over the weekend and which has now spread via BitTorrent file-sharing sites, contained encrypted versions of Forbes user passwords. Encrypted, yes, but it turns out they’re not entirely locked down. Paul Ducklin, a security expert for Sophos, a security firm, wrote on a blog that researchers at his firm have been able to decrypt a sampling of passwords found in the file. “It took about an hour, using one core of a vanilla laptop, to crack close to one-quarter of the passwords of the 500 or so Forbes employees in the database,” Ducklin wrote.
One thing that made it easy: Weak passwords. Ducklin writes that 73 Forbes staffers used a password that contained the word “Forbes,” often followed by numbers, often “123.” Three people used the password “changeme,” and 15 used “welcome1.”
Meanwhile, Forbes’ blogging site remains offline as of this afternoon. Typically, contributors have free rein to publish their own posts via Forbes’ WordPress installation. I’ve talked with a handful of people who are regular contributors, and they tell me that, instead, they’ve been emailing their posts in to an editor who is publishing posts manually, which is significantly slowing down their ability to publish.
“Bloody awful. I have to email posts. No comments. Complete nightmare,” one contributor told me in a direct message on Twitter. “This is really making me mad,” wrote another in a Facebook message.
Why this matters is that Forbes relies heavily on its network of 1,200 contributors to basically give it free content — a few attract enough traffic to make a little money in profit sharing — and a place to put advertisements. Without that, fewer people are seeing Forbes’ ads, and that’s bad for business. The longer its blogging platform stays down, the less happy its contributors will be. They could opt to take their words elsewhere.
(Full disclosure: I worked for Forbes as a technology writer from 2000 until 2005.)
This article originally appeared on Recode.net.
