News of the incident broke on Twitter on Tuesday evening after a hacker calling himself ‘w0rm' posted a purported screenshot of a Wall Street Journal database. ‘W0rm' – also known as ‘Rev0lver' on the darknet – subsequently tried to sell access to this data for 1 bitcoin, or about £363.
US security firm IntelCrawler alerted WSJ to the breach and advised the media giant that the access was genuine and would give would-be buyers the ability to “modify articles, add new content, insert malicious content in any page, and add new users.”
"We confirmed there is the opportunity to get access to any database on the wsj.com server, a list of more than 20 databases hosted on this server," said the firm.
The newspaper, which saw its Facebook page compromised earlier in the week with fake messages of an Air Force One plane being taken down over Ukrainian airspace, has since reported on the issue and said that computer systems housing news graphics were “hacked by outside parties”. The article reads that these systems were taken offline in a bid to isolate the attacks, and stressed that the intrusion did not affect Dow Jones customers or customer data.
W0rm – who runs an online marketplace (w0rm.in), where hackers sell information about security flaws - is also believed to have been behind attacks against other media organisations this week, including Vice Media this week and CNET last week. He also allegedly attempted to sell FTP credentials to a server belonging to the BBC at the end of last year.
Responding to the news, Tripwire director of security and risk Tim Erlin said that the hack shows that hackers are exploiting a widening attack surface.
“As the demands on web-based applications increase, so do the systems that support the user experience through the browser,” said Erlin in an email to journalists.
“An increasingly complex ecosystem of supporting technology allows for far richer interaction, but the cost is often a much larger attack surface. SQL injection, and other web-based attacks, are often difficult to identify consistently and require changes to custom code to fix them.”
He added: “This isn't a case where WSJ simply failed to apply a patch. Testing for these kinds of vulnerabilities can be done directly on the code itself or through interaction with the application, but both approaches have their limitations. The most effective means of preventing these kinds of attacks is to build security into the software development lifecycle and avoid introducing the vulnerabilities in the first place.”