Boing Boing says hacker got around 2FA in breaching its content management system

Boing Boing editors celebrate the site's 25th anniversary at the XOXO festival in 2013 in Portland, Oregon. (Duncan Rawlinson, / Flickr)


Written by

Boing Boing, a popular blog and news aggregator with deep roots on the internet, said Monday that an unknown attacker had used a hacked account of one of its team members to spread malicious code.

The hacker was able to get around two-factor authentication — an extra security measure — to log into the Boing Boing content management system (CMS) software. From there, the attacker installed a widget that redirected Boing Boing visitors to a malicious web page, the publication said in a statement under the tagline, “We Wuz Hacked.”

Founded three decades ago as a zine, Boing Boing is an irreverent and wide-ranging news site that embraced blogging long before it became popular. Contributors to the self-styled “Directory of Wonderful Things” have long promoted sound security practices. In May 2019, for example, co-editor Cory Doctorow blogged about a Google study touting the benefits of 2FA.

Boing Boing said the breach occurred around midday Friday and that, once the issue was verified, the website’s security team removed the malicious code from its servers and changed passwords and access tokens.

The incident has prompted Boing Boing to set up a separate network log “so we are able to take action and determine the scope of a breach more thoroughly in the future,” the website’s leadership said. They advised recent visitors of the Boing Boing site to check their antivirus software for anything suspicious on their machines.

“From a systems security perspective, this is an excellent cautionary tale of the importance of individual user security,” Boing Boing’s statement reads.

“Even two-factor authentication and password hygiene can be compromised on the user’s end,” the statement continues, “and just because a particular issue … had been detected via third parties in the past, it always pays to consider all possible first-party infection vectors.”

Boing Boing has built up a devoted following over the years. In a 2008 story about the site, The New York Times noted that Boing Boing readers “can appear particularly intense” in their devotion to various subjects.

“Theirs is the intensity that comes from discovering that, indeed, there are other people who like to create detailed drawings on an Etch-a-Sketch or collect 100-year-old fantasies of what the future might look like or rage at the encroachment of technology companies and the government on personal privacy,” The Times wrote.

-In this Story-

data breaches, multi-factor authentication (MFA), third-party risk