Taboola, a widget used by many electronic publishers to help readers find additional content, was hacked by the Syrian Electronic Army (SEA) yesterday.
"Today [Monday], between 7AM - 8AM EDT, an organization called the Syrian Electronic Army hacked Taboola’s widget on Reuters.com," said Taboola founder and CEO Adam Singolda in a blog. "The intruder was redirecting users that accessed article pages on reuters.com to a different landing page."
Taboola is also used by other popular websites, including Time, The Weather Channel, BBC, and USA Today, but the Reuters hack is the only one mentioned in the blog.
Taboola did not immediately address the SEA's claims that it had also hacked Taboola's Paypal account. The SEA posted a copy of what appears be the Paypal page of Taboola on its website.
"The breach was detected at approximately 7:25am, and fully-removed at 8am," said Singola. "There is no further suspicious activity across our network since, and the total duration of the event was 60 minutes.
"While we use 2-step authentication, our initial investigation shows the attack was enabled through a phishing mechanism. We immediately changed all access passwords, and will continue to investigate this over the next 24 hours."
"Websites need to think long and hard not only about the security of their own servers, but whether the companies who are providing widgets and plugins that power the websites are taking security as seriously themselves," said security expert Graham Cluley in a blog about the incident. "After all, at the end of the day, the typical user is going to view the incident as Reuters being hacked – not Taboola."