Advertisement

Boing Boing says hacker got around 2FA in breaching its content management system

The popular blog used the breach as a teachable moment to spread better security practices.
Boing Boing
Boing Boing editors celebrate the site's 25th anniversary at the XOXO festival in 2013 in Portland, Oregon. (Duncan Rawlinson, Duncan.co / Flickr)

Boing Boing, a popular blog and news aggregator with deep roots on the internet, said Monday that an unknown attacker had used a hacked account of one of its team members to spread malicious code.

The hacker was able to get around two-factor authentication — an extra security measure — to log into the Boing Boing content management system (CMS) software. From there, the attacker installed a widget that redirected Boing Boing visitors to a malicious web page, the publication said in a statement under the tagline, “We Wuz Hacked.”

Founded three decades ago as a zine, Boing Boing is an irreverent and wide-ranging news site that embraced blogging long before it became popular. Contributors to the self-styled “Directory of Wonderful Things” have long promoted sound security practices. In May 2019, for example, co-editor Cory Doctorow blogged about a Google study touting the benefits of 2FA.

Boing Boing said the breach occurred around midday Friday and that, once the issue was verified, the website’s security team removed the malicious code from its servers and changed passwords and access tokens.

Advertisement

The incident has prompted Boing Boing to set up a separate network log “so we are able to take action and determine the scope of a breach more thoroughly in the future,” the website’s leadership said. They advised recent visitors of the Boing Boing site to check their antivirus software for anything suspicious on their machines.

“From a systems security perspective, this is an excellent cautionary tale of the importance of individual user security,” Boing Boing’s statement reads.

“Even two-factor authentication and password hygiene can be compromised on the user’s end,” the statement continues, “and just because a particular issue … had been detected via third parties in the past, it always pays to consider all possible first-party infection vectors.”

Boing Boing has built up a devoted following over the years. In a 2008 story about the site, The New York Times noted that Boing Boing readers “can appear particularly intense” in their devotion to various subjects.

“Theirs is the intensity that comes from discovering that, indeed, there are other people who like to create detailed drawings on an Etch-a-Sketch or collect 100-year-old fantasies of what the future might look like or rage at the encroachment of technology companies and the government on personal privacy,” The Times wrote.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts