Boing Boing was hacked

Originally published at: https://boingboing.net/2020/01/13/boing-boing-was-hacked.html

…

Thank you for the detailed post and warning.

Ahh that definitely explains things better.
Surprised it had not happened before and again thanks to @orenwolf for all the hard work keeping the site running.

Thanks for being forthcoming about this. You didn’t mention whether or not user data was potentially leaked and if there’s anything we should do (eg- change password). I’m changing my password just to be safe, But, clarity on this would be nice.

We don’t have user data on the BB site itself, just here in Discourse, and the two are not connected. So no user data was leaked.

I used BoingBoing all weekend on my phone and computer…
What kind a Apple anti Gooy thingy should I use?
It will be the first time I’ll use a anti-something-bad thingy.

Thanks! That’s good to know. I hope the damage wasn’t too bad for you guys.

Thank you for the information.

For future reference, how was the malicious party able to steal the credentials of a member of the Boing Boing team to then log into the CMS? Was it a physical attack like a stolen laptop? Or did the member of the Boing Boing team used a weak password? It would be nice to know, so we can maybe rethink our own personal security (e.g., encrypt laptop). Thank you.

Best advice I can give there is to always consider physical security, what access a compromised device might provide, and the overall lifecycle of your devices when you dispose/give them away (especially phones, which often have stores passwords and 2-factor-auth credentials). Also keep in mind what services you have authorized to access your information, and their security as well.

That makes sense. I got redirected to a ‘flash install page’ a couple times in different browsers and immediately did a virus scan with no detections and figured it must have been an ad issue. Added the element to uBlock origin and the site worked normally again.

Thanks for the update, nice to know what happened!

So that’s why you wanted me to install Flash. Do you know anything about the malicious Flash applet they were trying to run?

Chalk up another win for reading via RSS.

boingboing selling a dehumidifying humidifier was not a result of the hack though: just normal boingboing

Whelp, this explains the ‘Your device is not safe. Please update your Google Play Protect’ ad I was getting this past weekend when viewing articles here. I checked directly for updates and saved a screen capture to look into it further. Thanks for explaining this.

I got this too and saved a pic.

I am so glad I finally got Brave- the fucking ads on Boing Boing have gotten so obnoxious I couldn’t even load pages without it. They just covered parts of stories.

When I saw this- I immediately turned on script blocking. I knew something was very wrong. Glad Im ot crazy.

Attached is a pic of the malware I saw- never, ever, ever should anything from the play store force a popup on you!

Screenshot_20200111-132807_Brave1080×2220 280 KB

We do not. The suggestion to run local AV scanning software is unfortunately all we hsve. As we learn more I am sure Ken will share it.

Ken, Scott, many of our readers, and our partners at Freestar and Automattic put in a heroic effort to catch and fix this.

I presume the thingy had nothing to do with Flash itself, but was merely presented to look like the Flash installer as an inducement to click and permit horrible things to happen – much like mobile users got something superficially resembling Google Play Protect that probably had nothing to do with Google Play Protect.

On my computer, anything that actually uses Flash brings up an explicit prompt from Firefox that something wants to use Flash and asks if I want to enable it.

I kept seeing that popup on one article and kept ignoring it b/c who the hell wants flash on their machine? and why would you tube require it all of a sudden?

So like this is another three years of free credit monitoring bad ?

So do we get any refund on our site membership dues?