October 16, 2013

Earlier this year, hackers broke into the networks of marketing and press release distribution service PR Newswire, making off with usernames and encrypted passwords that customers use to access the company’s service and upload news releases, KrebsOnSecurity has learned.

PrnewswireThe stolen data was found on the same Internet servers that housed huge troves of source code recently stolen from Adobe Systems. Inc., suggesting the same attackers may have been responsible for both breaches. Date and time stamps on the stolen files indicate that breach at PR Newswire occurred on or after March 8, 2013.

Presented with a copy of the purloined data, PR Newswire confirmed ownership of the information. The company said that later today it will begin the process of alerting affected customers and asking them to change their account passwords. The company says its investigation is ongoing, but that the data appears to be related to a subset of its customers from Europe, the Middle East, Africa and India.

In a statement being sent to customers today, PR Newswire said it is “conducting an extensive investigation and have notified appropriate law enforcement authorities. Based on our preliminary review, we believe customer payment data were not compromised.”

As with the investigation into the Adobe breach, this author had significant help from Alex Holden, chief information security officer at Hold Security LLC. While there are no indications that the attackers did anything malicious with the PR Newswire data, Holden said the bad guys in this case could have used it to wreak financial havoc. The company’s customer list reads like a Who’s Who of PR firms and Fortune 1000 firms.

“It’s unsettling to imagine the possible outcomes if the stolen data fell into the hands of any groups that are trying to affect political and economic stability,” Holden said. “Misleading PR statements on behalf of major companies could disrupt stock markets, injure a company’s reputation, and affect consumers.”

News of the breach at PR Newswire comes amid shenanigans elsewhere in the press release industry. On Oct. 11, Cision AB, a Swedish press-release distributor, took a PR hit of its own after a fake release caused two biometric companies’ shares to soar and led to a police report.

According to this story from Bloomberg, in 2006, PR Newswire said it distributed a false statement about Innotrac Corp. (INOC), a call-center and warehouse services operator. In 2000, Emulex Corp. (ELX) shares plunged after a different release-distribution service published a fictitious press release that said the company reversed a fourth-quarter profit to a loss.

In a written statement to KrebsOnSecurity, PR Newswire said that at this point there is no evidence to suggest that the intrusion into its networks was in any way related to what happened with Cision last week.

“PR Newswire has protocols and redundancies in place that are designed to minimize the risk of distributing fraudulent press releases, including both technological and human safeguards prior to issuing any release,’ the statement reads. “The database contains approximately 10,000 records; however, there is only a minority of active users on this database. Those users represent an even smaller number of customers, as each customer generally has multiple usernames. PR Newswire decided to implemented a mandatory password reset for all customers with accounts on this database as a precautionary measure.”

As astute readers may have gathered already, PR Newswire and Adobe were not the only companies whose data was found on the hackers’ server. Stay tuned for more updates on that front.

Update Oct. 17, 11:42 a.m. ET: Holden now says the breach at PR Newswire might extend further than previously thought. “There is evidence, dated February 13, 2013, of a large-scale attack targeting PR Newswire’s multiple networks hitting over 2,000 IP addresses using ColdFusion exploits,” Hold Security noted in a news release. In a previous story, I described how the hackers thought to be responsible for this attack and the theft of source code from Adobe and other targets specialized in attacking ColdFusion vulnerabilities.


24 thoughts on “Breach at PR Newswire Tied to Adobe Hack

  1. DefendOurFree

    Their distribution services were used to send out some harmful rumors.

  2. Dr. Neal Krawetz

    “It’s unsettling to imaging the possible outcomes if the stolen data fell into the hands of any groups that are trying to affect political and economic stability,” Holden said. “Misleading PR statements on behalf of major companies could disrupt stock markets, injure a company’s reputation, and affect consumers.”

    Typo: imagine

    And how is this any different than any other day on FOX?

  3. Bush Master

    7 mounts to find a breach . Say no more .

    They should be shot on the spot ( fined billions ) for a breach of contact .Im sure its in there contact that they should safe guard any personal info they collect .

    1. Peter

      Dont expect any substantial fines any time soon. Look at the Sony hacks. The biggest affected customer base in the history of hacks and they received what could barely even be described as a slap on the wrist.

  4. The Oregano Router

    As always ,another great internet security news article.

    Keep them coming B.K.

    1. von

      “There is evidence, dated February 13, 2013, of a large-scale attack targeting PR Newswire’s multiple networks hitting over 2,000 IP addresses using ColdFusion exploits,” Hold Security noted in an update to its news release.

      February 13 now, not March 8.

  5. You Always Knew Just How To Make Me Cry

    You Always Knew Just How To Make Me Cry .
    And Never Did I Ask You Questions Why.
    It Seems You Get Your Kicks From Hurting Me.
    Don’t Try To Understand Me

    Because Your Words Just Aren’t Enough.

    1. The Oregano Router

      Okay and how does that relate to this internet security article ? Care to elaborate ? Maybe you should take that to another forum where they can appreciate it better.

    2. IA Eng

      Its lyrics to a Michael Jackson song called Give in to me or something close to that.

      Probably an inside joke, or a comment spammer looking for work, fame, or misfortune.

  6. JCitizen

    Sorry, but is seems like all the major news agencies are in the bad habit of PURPOSELY releasing fraudulent news now days. I have no trust of any news service, and take all of it with a shot of salt over my shoulder. We ALL have to mistrust ALL data on the web now.

    You may ask – then who do you believe? – I say NUTS to that! You have to use your own brain, and critical thinking skills – that will be a prerequisite in the dark future I see coming up the pike! 😐

    Get as much data as you can and make your own FREE decisions!

    1. Peter

      This has always been the problem with service providing information. Regardless on whether a news service is meant to be independent of government ties the reporters, writers and anchor men all have their own opinion which comes out in the way anything is reported.

      Treat any information as suspect until proven otherwise,

  7. IA Eng

    It was probably used as a software dumping site. They landed on this site, moved a copy of their treasure here, and then they would distribute it out from here, to break the electronic chain if you will.

    If there are limited amounts of people who use this site or have access to it, and it could have profound amounts of issues should some one leak a false rumour, then I am sure it will be looked at closely.

    It wouldn’t take a breach of this place to make it look bad, all it would take is for someone to figure out the actual name of the email address that contacts the “important organizations”. from there, simply spoof the email address, then staying within the confines of the typical emails this company sends out, change any links in it to a vile site. It would probably do more damage than good.

    I am sure we will learn more when they decide to update the world. problem is, to maintain a rep, some of that data may or may not be released to the public.

    I find it kind of ironic that they were able to track down where a copy of the source code was in a short period of time. I am sure there is a way to find such things quickly. This is pretty quick, considering the amount of electronic devices that exist on the ‘net.

  8. IA Eng

    A nearly common occurance on the DHS Daily Infrastruture Report;

    Information Technology Sector

    33. October 16, Krebs on Security – (International) Breach at PR Newswire tied to Adobe hack. PR Newswire confirmed that researchers uncovered the theft of usernames and encrypted passwords of some of its customers. The information was found on servers that also held source code and other information stolen from Adobe Systems Inc. Source: http://krebsonsecurity.com/2013/10/breach-at-pr-newswire-tied-to-adobe-hack/

  9. The Person Formely Known As 'Curry'

    *there. Sorry for the rushed comment.

  10. Coolout_AC

    IMO, Hackers have replaced investigative journalism for all news programs independent or commercial alike.

    So whether they are feeding them information through proper channels or hacking their databases it really doesn’t matter. They run the show, and they are running the world now on all sides, they control all media propaganda.

    And as I said in another thread, these hackers are predominantly one race, mainly one political view, and way more oppressive then our Gov’t can ever be.

    Most of the news I see nowadays seems to be extremely biased and in the interest of malicious hackers or foreign spies. I

    The only news I still half trust now, is C-Span and Al Jazeera.

  11. Matt

    Another great post, and those people will definitely pay for their screw-ups.

  12. QHoster

    Proving information is a real power nowadays and can mislead a lot of people / stock markets.
    Great article again.

  13. Benjamin Caudill

    Another well-written news story! So does this mean that PR Newswire, t al, were breached because they didn’t follow the guidelines set by Adobe for using ColdFusion? Your previous story on ColdFusion breach mentions a quote which says the same. What is your opinion?

    1. BrianKrebs Post author

      Hi Ben, thanks. It’s possible that Coldfusion was involved, but unfortunately only PR Newswire can say for sure. I don’t have any information one way or the other.

  14. Steven

    Ever since my idenity was hacked from Adobe I’ve been getting all these direct offers from website to my main email which I never got before.

    1. DefendOurFree

      I’m getting direct offers from them too, using two different Adobe domains. These two different Adobe domains were also used for me to reset my password.

  15. Devon Sutton

    Presented with a copy of the purloined data, PR Newswire confirmed ownership of the information. The company said that later today it will begin the process of alerting affected customers and asking them to change their account passwords. The company says its investigation is ongoing, but that the data appears to be related to a subset of its customers from Europe, the Middle East, Africa and India.

Comments are closed.