The Onion staff put their laughing-making on hold last week when the Syrian Electronic Army hacked its Twitter account — the latest in a growing list of publications invaded by the group.
Now, the parody news outlet has taken an atypical moment to very seriously explain how the hacktivists weaseled their way into the company's digital confines.
"In summary, they phished Onion employees' Google Apps accounts via 3 separate methods," the site's tech team explained in a blog post.
The slow, calculated attack began early this month, when the Syrian Electronic Army (SEA) sent emails to some of the site's employees. The messages (example below) implored The Onion's reporters to "Please read the following article for its importance," with a link to what appeared to be a Washington Post story. The link, in fact, eventually redirected users to a bogus Google URL, which asked for Google Apps credentials.
At least one employee entered their credentials, allowing the attackers entrance to their account, from which the SEA sent the same email to more Onion staff. Two logged in, one of whom had access to all of The Onion's social media accounts.
Things got hairier when the hackers duplicated a company-wide email urging employees to immediately change their password. Only this time, the SEA disguised a link to its phishing page as a password-reset URL.
"This dupe email was not sent to any member of the tech or IT teams, so it went undetected," the company said. The last attack compromised at least two more accounts, one of which was used to control the Twitter account.
While most organisations would shy away from poking a giant hacker bear, The Onion's editorial staff instead began publishing articles about the attack. One in particular —Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels — angered the attacker, who began posting edtorial email addresses on the SEA account.
At the end of the day, at least five Onion accounts were compromised; the company forced a password reset on every staff member's Google Apps account.
The post ends with suggestions from The Onion's tech team about how to avoid a similar computer breach.