Earlier this year, hackers broke into the networks of marketing and press release distribution service PR Newswire, making off with usernames and encrypted passwords that customers use to access the company’s service and upload news releases, KrebsOnSecurity has learned.
The stolen data was found on the same Internet servers that housed huge troves of source code recently stolen from Adobe Systems. Inc., suggesting the same attackers may have been responsible for both breaches. Date and time stamps on the stolen files indicate that breach at PR Newswire occurred on or after March 8, 2013.
Presented with a copy of the purloined data, PR Newswire confirmed ownership of the information. The company said that later today it will begin the process of alerting affected customers and asking them to change their account passwords. The company says its investigation is ongoing, but that the data appears to be related to a subset of its customers from Europe, the Middle East, Africa and India.
In a statement being sent to customers today, PR Newswire said it is “conducting an extensive investigation and have notified appropriate law enforcement authorities. Based on our preliminary review, we believe customer payment data were not compromised.”
As with the investigation into the Adobe breach, this author had significant help from Alex Holden, chief information security officer at Hold Security LLC. While there are no indications that the attackers did anything malicious with the PR Newswire data, Holden said the bad guys in this case could have used it to wreak financial havoc. The company’s customer list reads like a Who’s Who of PR firms and Fortune 1000 firms.
“It’s unsettling to imagine the possible outcomes if the stolen data fell into the hands of any groups that are trying to affect political and economic stability,” Holden said. “Misleading PR statements on behalf of major companies could disrupt stock markets, injure a company’s reputation, and affect consumers.”
News of the breach at PR Newswire comes amid shenanigans elsewhere in the press release industry. On Oct. 11, Cision AB, a Swedish press-release distributor, took a PR hit of its own after a fake release caused two biometric companies’ shares to soar and led to a police report.
According to this story from Bloomberg, in 2006, PR Newswire said it distributed a false statement about Innotrac Corp. (INOC), a call-center and warehouse services operator. In 2000, Emulex Corp. (ELX) shares plunged after a different release-distribution service published a fictitious press release that said the company reversed a fourth-quarter profit to a loss.
In a written statement to KrebsOnSecurity, PR Newswire said that at this point there is no evidence to suggest that the intrusion into its networks was in any way related to what happened with Cision last week.
“PR Newswire has protocols and redundancies in place that are designed to minimize the risk of distributing fraudulent press releases, including both technological and human safeguards prior to issuing any release,’ the statement reads. “The database contains approximately 10,000 records; however, there is only a minority of active users on this database. Those users represent an even smaller number of customers, as each customer generally has multiple usernames. PR Newswire decided to implemented a mandatory password reset for all customers with accounts on this database as a precautionary measure.”
As astute readers may have gathered already, PR Newswire and Adobe were not the only companies whose data was found on the hackers’ server. Stay tuned for more updates on that front.
Update Oct. 17, 11:42 a.m. ET: Holden now says the breach at PR Newswire might extend further than previously thought. “There is evidence, dated February 13, 2013, of a large-scale attack targeting PR Newswire’s multiple networks hitting over 2,000 IP addresses using ColdFusion exploits,” Hold Security noted in a news release. In a previous story, I described how the hackers thought to be responsible for this attack and the theft of source code from Adobe and other targets specialized in attacking ColdFusion vulnerabilities.