Threat Management

Taboola hack allows SEA to redirect Reuters site visitors

Ad network Taboola, whose widget was hosted on, has revealed that it was compromised by the Syrian Electronic Army.

Over the weekend, reports about Reuters site visitors being redirected to a hacker-operated web page began to surface. And by Monday, Taboola confirmed via a company blog post that it had been hacked on Sunday morning– as well as the chain of events that led to the incident.  

Ultimately, users trying to read a Reuters article titled, “Attack from Syria kills teen on Israeli-occupied Golan,” were redirected to a page saying, “hacked by Syrian Electronic Army.” A message also taunted the news organization, telling Reuters to “stop publishing fake reports and false articles about Syria."

According to Taboola, hacktivists used a phishing lure to carry out the feat.

“The attacker used the fact [that] a Taboola user, who had access to widget editing capabilities within our back-office dashboard ("Backstage"), used the same password for [their] email account and Backstage,” the blog post said. “This user fell victim to a targeted phishing attack, and provided their email password to the attacker. While we used two-factor authentication for our email, we didn't use such methods for Backstage, and so the attacker was able to get in.”

With newfound access, SEA was able to edit the header of a Reuters widget, adding an HTML meta refresh tag, which allowed the redirection, Taboola revealed.

Last August, SEA used a similar attack scheme to target The Washington Post, CNN and Time. In that incident, visitors who clicked recommendation links featured on any of the victim sites were redirected to pages controlled by the pro-Assad hacker collective. SEA compromised a third-party content recommendation service called Outbrain, to facilitate the hack.

As of Monday, Taboola said the SEA incident was “fully resolved,” after it blocked the attacker's access to the account in question.

The company also said that it would develop two-factor authentication for Backstage users, and remove a dashboard feature which allows users to enter HTML snippets for widget parts.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.