For a brief period on Thursday morning, the Washington Post's website redirected some visitors to a webpage controlled by the Syrian Electronic Army. In a brief statement, the site didn't indicate how the infiltration occurred, but subsequent reports suggest that the hackers were able to manipulate a content recommendation service The Post uses on its site.
On Twitter, the SEA demonstrated that it had gained access to the administrative panel of Outbrain, a third-party system that provides those "Other stories from around the web" recommendations at the bottom of articles at numerous web sites, including at The Atlantic Wire. How the redirect worked isn't clear, but it's possible that the hackers were able to manipulate the code included on Post articles to include a simple redirect to an external site. The group claimed to have done the same thing on other sites, including CNN and Time.
This is what the hack looked like on Time.com.
Outbrain, which sent its partners, including the Wire, a statement, reading in part:
This morning, the Outbrain service was attacked, and as a result, we have taken the service down temporarily as a precautionary measure.
We are working diligently to investigate the cause and the measures to prevent this in the future. Once we feel that the service is stable, we will bring back the service again.
Update, 3:00 p.m.: Outbrain has posted a little more information about how their server was compromised.
On the evening of August 14th, a phishing email was sent to all employees at Outbrain purporting to be from Outbrain’s CEO. It led to a page asking Outbrain employees to input their credentials to see the information. Once an employee had revealed their information, the hackers were able to infiltrate our email systems and identify other credentials for accessing some of our internal systems.
In other words, despite its statement, it seems likely that The Washington Post itself wasn't hacked. But its use of a third-party tool for story recommendations created an opportunity for the hackers. Earlier this year, the newspaper confirmed that it had been hacked by individuals in China.
The Syrian Electronic Army has been on ongoing campaign of similar infiltrations, hacking a variety of media sites directly, including Reuters, Al Jazeera, and even The Onion. So far, those efforts haven't done much to change events in Syria's still-bloody civil war.
Update, 4:00 p.m.: In a lengthier update, the Post indicates that one reporter fell victim to a phishing attack earlier this week, allowing the SEA to take control of his Twitter account. It is unclear if this was in any way related to Thursday's problems.