Hacked Screen

grapegeek/iStockphoto

Security


Following up on a threat it made yesterday, the Syrian Electronic Army hacking group claimed today to have published a database containing more than one million user names and sign-in credentials from Forbes.com, the website of the business magazine.

Forbes admitted in a statement posted to its Facebook page and on Twitter on Friday night that the email addresses of its users may have been exposed, but it did not explicitly confirm that the data had been published online. The company said passwords were encrypted, but advised its users to change passwords on services and systems where they used the same passwords. The company said it has also notified law enforcement agencies.

When asked for further comment this morning after the publication of the database, a Forbes spokeswoman referred me back to the statement made Friday night. The company has not confirmed the number of users affected by the breach.

The Syrian Electronic Army originally claimed responsibility for the attack yesterday and promised to publish the database today. Re/code has seen the data, and it contains the names and known email addresses of several current and former employees at Forbes. But the passwords are displayed as hashes, which is a term of art meaning that the passwords aren’t shown in plain text. For example the word “passwords” might be recorded in the database as “$P$98tqH9rq4bGEc1E6oThXjM3J.5xU3t.” However, passwords could potentially be recovered by someone who understands the nuances of password hashing.

The group also attacked Forbes content, and altered the text of at least three stories that had been published and which Forbes ultimately took down. It also published its own one-sentence article saying “Hacked by the Syrian Electronic Army.”

Meanwhile, the Forbes blog page continues to be down. This means the attack may hurt Forbes more than these kinds of attacks have hurt other media companies. The Forbes network of contributors to its blogging site have been central to its business model for several years.

Previously, Forbes operated as a traditional business magazine with a mostly separate staff of writers who published daily on the Forbes.com website. That changed in 2010 when Forbes acquired True/Slant, a media startup in which it had invested.

The True/Slant model became the basis for the new Forbes model: Essentially anyone could become a contributor and write a story that would appear under the Forbes brand. The most popular ones who generate the most traffic can in some cases qualify for a cut of the profits they generate. (Full disclosure: I worked for Forbes as a technology writer from 2000 until 2005, several years before this system was put in place.)

Its chief product officer — and True/Slant’s founder — Lewis DVorkin described it in a lengthy post in November. He wrote that Forbes had “supplemented our full-time reporting staff with 1,200 qualified contributors, including more than 150 freelance journalists,” and that “… Many participate in a novel incentive plan that makes them accountable for their success.” DVorkin wrote that as of October of last year, Forbes had generated 55 million unique users as measured by Omniture and 26 million uniques as measured by comScore.

Interestingly, as I have poked around the Forbes.com website, I’ve noticed a few spots that appear to be functioning normally. One is the Forbes BrandVoice section where companies like EMC, SAP, Oracle, Sage, NetApp and HSBC all have their own blogs. As you can see from the links, they appear to be working just fine. The attackers appear not to have breached this section of the publishing system.

As I noted yesterday, this attack couldn’t have come at a more delicate time for the company. The Forbes family and its co-owners, the private equity firm Elevation Partners, have been trying to sell the company for some time.

On Monday, Bloomberg News reported that final bids were expected from two suitors, China-based Fosun International and Singapore’s Spice Global Investments, while German publisher Axel Springer was also said to be in the running. Forbes is reportedly asking $400 million, though there’s reason to expect it will get about half that much.



1 comments
Nestorius
Nestorius

I found it VERY disturbing that Forbes does not communicate openly about this issue on their website, not even with their own subscribers:

I have received three advertising mails from them since the attack (Forbes Investor & Forbes Newsletters) but nada about the attack and my potential account being compromised.


In comparison, I did get an email from Kickstarter informing openly about their own attack before/just as it appeared in the medias.


Neither TechCrunch nor the WSJ Online wrote about the Forbes attack afaik.


Then I found an article on NetworkWorld.com, part of IDG, titled "If you have a Forbes account, you've been pwned" which provides a link to a database to check if my account (username or email address) had been compromised: BINGO with Forbes.com in Feb 2014 !


What is going on with Forbes and the other Big Boys here ?

Why the lack of information and transparency ?

Follow

Get every new post delivered to your Inbox.

Join 286,789 other followers