No, the Met Police wasn’t hacked. But its Twitter account and website were hijacked

Graham Cluley

Hacker hijacks Met Police's Twitter account

Hacker hijacks Met Police's Twitter account

Late on Friday night, some rather out-of-character tweets seemed to be coming out of New Scotland Yard.

The Twitter account of London’s Metropolitan Police (@metpoliceuk) broadcast to its more than one million followers a series of bizarre and sometimes offensive messages:

Met Police Satoshi tweet

Met Police tweets

What’s more, the tweets pointed to suspect content in the news release section of the official Met Police website:

Met police website

And emails were sent to people who had signed-up for notifications about news releases:

Met police email

All very juvenile stuff…

Thankfully, Met Police Superintendent Roy Smith took to Twitter to confirm that this wasn’t New Scotland Yard trying to be “down with the kids”, and the account was reasonably swiftly brought back under control.

My guess is that the nature of the links posted by whoever was behind the attack, and the content that some of them linked to (which appeared to doxx an individual) might well point the authorities in the direction of those who might be responsible.

Someone, however, hadn’t guessed the password to the Met Police’s Twitter account or hacked into its website.

You see, as they later confirmed, the Met Police had been using a service called Mynewsdesk that is supposed to make it simple to create a piece of content (such as a press release), and then automatically update your website and social media outlets, and send an email notification to mailing list subscribers.

It was Mynewsdesk that updated the Met Police’s Twitter account, and posted the bizarre messages on the Met Police’s website. The Met Police’s own systems had not been hacked.

And the Met Police’s news section is only really the Met Police’s website in name. It’s actually hosted on Mynewsdesk infrastructure:

Met police dns record

So someone, somehow, managed to hijack control of the Met Police’s Mynewsdesk account. And that’s why the tweets got posted, and that’s why the emails were sent, and that’s why the Met Police’s website was updated.

Whether the Mynewsdesk account was compromised because of a common reason like password reuse or the phishing of credentials feels most likely but it’s also possible that there was a vulnerability in Mynewsdesk which allowed a hacker to gain access.

I can certainly sympathise with the Met Police if the problem was entirely at Mynewsdesk’s end. Two years ago my personal Twitter account began to post some pretty bizarre messages after a third party app I had linked was compromised by a hacker.

Whenever you give a third-party service permission to access your Twitter account, website, or mailing list you are placing trust in their ability to act responsibly with that power, and only allow authorised users to use it.

For more discussion on this topic be sure to listen to this episode of the “Smashing Security” podcast:

Smashing Security #138: 'Logic bombs, brain data exploitation, and Digga D tweets'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.