I, along with quite a few people on my twitter feed, noticed that something wasn’t quite write with the Met Police twitter account. Here’s a look at what happened and alos a waring about embedding content in your public-facing website…:
Late on Friday night, some rather out-of-character tweets seemed to be coming out of New Scotland Yard.
The Twitter account of London’s Metropolitan Police (@metpoliceuk) broadcast to its more than one million followers a series of bizarre and sometimes offensive messages.
We are aware that the @metpoliceuk has been subject to unauthorised access and our media team are working hard to delete the messages and ensure the security of the account. Please ignore any Tweets until we verify that it is back under official control. RT
— Supt Roy Smith (@roysmithpolice) July 19, 2019
You see, as they later confirmed, the Met Police had been using a service called Mynewsdesk that is supposed to make it simple to create a piece of content (such as a press release), and then automatically update your website and social media outlets, and send an email notification to mailing list subscribers.
It was Mynewsdesk that updated the Met Police’s Twitter account, and posted the bizarre messages on the Met Police’s website. The Met Police’s own systems had not been hacked.
And the Met Police’s news section is only really the Met Police’s website in name. It’s actually hosted on Mynewsdesk infrastructure:
So someone, somehow, managed to hijack control of the Met Police’s Mynewsdesk account. And that’s why the tweets got posted, and that’s why the emails were sent, and that’s why the Met Police’s website was updated.
Whether the Mynewsdesk account was compromised because of a common reason like password reuse or the phishing of credentials feels most likely but it’s also possible that there was a vulnerability in Mynewsdesk which allowed a hacker to gain access.