Embargo Watch

Keeping an eye on how scientific information embargoes affect news coverage

EurekAlert! taken offline after being hacked

with 4 comments

eurekalertlogoEurekAlert!, the embargoed news source run by the American Association for the Advancement of Science (AAAS), has been temporarily taken offline following a “serious security breach.”

Ginger Pinholster, AAAS chief communications officer and director, office of public programs, said in a statement posted to the site last night at 10:10 p.m. Eastern that usernames and passwords had been compromised, and that embargoed information had been released.

Pinholster tells Embargo Watch that two embargoed releases were released early, and that:

The unknown individual was not selling login information. He seemed motivated to see whether he could breach EurekAlert!.

All of the site’s URLs now direct to a page with this message:

The EurekAlert! website has been taken offline as AAAS works diligently to address a serious security breach.

We are taking this step out of an abundance of caution. The integrity of content on our website is of the utmost concern to us. On September 11, we were notified of a potential breach to our system. An investigation revealed that our website had experienced an aggressive attack on September 9 that compromised usernames and passwords. As we were working to implement a secure password-reset protocol for all registrants, the unknown hacker publicly released an embargoed EurekAlert! news release. We then decided to bring the site down immediately, to protect other embargoed content.

Please be assured that financial information from subscribing institutions is not stored on the EurekAlert! website and therefore remained secure. Registrants’ usernames and passwords were compromised, however.

We deeply regret the inconvenience that this security breach and the related site outage may cause reporters and public information officers. We will bring the site back online as soon as we can ensure that vulnerabilities have been eliminated. Please email the EurekAlert! team at webmaster@eurekalert.org, or contact me directly with any questions or concerns.

Written by Ivan Oransky

September 14, 2016 at 8:06 am

Posted in eurekalert policy

4 Responses

Subscribe to comments with RSS.

  1. What 2 news releases were made public?

    carol cruzan morton

    September 14, 2016 at 9:29 am

  2. The line that “usernames and passwords were compromised” is ambiguous, but suggests EurekAlert may have been storing passwords as plaintext, which is a big security no-no. Anyone registered with the site who uses the same password elsewhere (also a no-no, but it happens) may now be at risk of their accounts with other services being hacked.

    Given this risk, you’d think EurekAlert would want to clarify the potential risk to its users, but when I asked, they declined to explain further:

    “Unfortunately, we’re unable to give out any information affected accounts [sic]. We will be back online and send a notification e-mail as soon as additional website security measures are completed. “

    Jacob Aron

    September 14, 2016 at 11:29 am

  3. Also, how is this “out of an abundance of caution”? This seems like a low-to-average level of caution.

    Nicholas Weiler

    September 14, 2016 at 12:30 pm

  4. Thankfully they’ve now confirmed that passwords were not stored in plaintext:

    “While EurekAlert! passwords are stored as salted hashes, not all passwords were sufficiently complex and some account passwords were uncovered in this attack. We will be requiring all registrants to reset their passwords – and requiring more complex ones – when we bring the site back online. But as we have no idea the intent or scope of the hacker’s plans, and to exercise the utmost precaution, we urged all registrants to change passwords on other services, if they used the same password on those services as on EurekAlert!.”

    Jacob Aron

    September 15, 2016 at 6:58 am


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: