Advertisement
Motherboard

Hacker Steals Passwords for Science Site EurekAlert!, Leaks Embargoed News

The site has been taken down to stop more embargoed news being leaked.

by Joseph Cox
Sep 14 2016, 12:05pm

Image: Che Saitta-Zeltermann

Popular science website EurekAlert!, which handles embargoed reports on health, medicine, and technology, has been hacked, according to an announcement on the site published Tuesday.

The announcement states that usernames and passwords to the service have been compromised, although it does not say whether the passwords were in plain text or hashed. The hacker has also leaked two embargoed reports.

At the time of writing, the rest of the EurekAlert! site is inaccessible.

"We are taking this step out of an abundance of caution. The integrity of content on our website is of the utmost concern to us," the site reads.

EurekAlert! says it was informed of the breach on Sunday, and after an investigation, discovered that it had been targeted the previous Friday.

Image: screenshot of the EurekAlert! site on Wednesday

Often, researchers will distribute their work to journalists under embargo, before publicly releasing it. EurekAlert!, which is run by the American Association for the Advancement of Science (AAAS), sends embargoed news posts and papers to reporters on behalf of many institutions and journals.

"As we were working to implement a secure password-reset protocol for all registrants, the unknown hacker publicly released an embargoed EurekAlert! news release. We then decided to bring the site down immediately, to protect other embargoed content," the announcement continues.

Ginger Pinholster, a spokesperson for EurekAlert!, pointed Motherboard to a Twitter account that appeared to have posted details on two embargoed reports from the service. The hacker had dumped news releases for apparent papers from the University of Sussex and the University of Montreal onto Pastebin before their embargoes were lifted.

"Twitter has been contacted," Pinholster added.

EurekAlert! claims that no financial information of subscribing institutions has been compromised.

"We deeply regret the inconvenience that this security breach and the related site outage may cause reporters and public information officers. We will bring the site back online as soon as we can ensure that vulnerabilities have been eliminated," the announcement finishes.

The lesson: Anyone subscribed to EurekAlert! should reset their password as soon as possible, if EurekAlert! hasn't already done so. If users share the same password between multiple services, they should change those too.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.