EurekAlert! Security Breach (with Updates)

I thought many in the science communication community would want to know about a security breach at EurekAlert!, and what that means for the service. I’m running the update from AAAS in its entirety below (retrieved from this page), and will run any updates as I receive them. [Multiple updates added. See below.]

Initial Notification from EurekAlert!

September 13, 2016 – 10:10 p.m. EDT

Dear EurekAlert! Registrants:

The EurekAlert! website has been taken offline as AAAS works diligently to address a serious security breach.

We are taking this step out of an abundance of caution. The integrity of content on our website is of the utmost concern to us. On September 11, we were notified of a potential breach to our system. An investigation revealed that our website had experienced an aggressive attack on September 9 that compromised usernames and passwords. As we were working to implement a secure password-reset protocol for all registrants, the unknown hacker publicly released an embargoed EurekAlert! news release. We then decided to bring the site down immediately, to protect other embargoed content.

Please be assured that financial information from subscribing institutions is not stored on the EurekAlert! website and therefore remained secure. Registrants’ usernames and passwords were compromised, however.

We deeply regret the inconvenience that this security breach and the related site outage may cause reporters and public information officers. We will bring the site back online as soon as we can ensure that vulnerabilities have been eliminated. Please email the EurekAlert! team at webmaster@eurekalert.org, or contact me directly with any questions or concerns.

Ginger Pinholster

Chief Communications Officer and Director, Office of Public Programs

American Association for the Advancement of Science

Update from EurekAlert!, Sept. 14

Dear EurekAlert! PIO-Registrants:

The EurekAlert! website unfortunately remains offline as we work around the clock to identify the vulnerabilities that caused the recent security breach. We will be running tests overnight in hopes of providing a more concrete operational timeframe on Thursday morning.

With restoration of the site, we plan to institute a site-wide password reset for all registrants, and require more complex composition of user passwords to increase security, moving forward. Inactive registrant records will also be removed to decrease vulnerability of individual accounts.

Meanwhile, our staff will continue to connect reporters seeking information on previously posted news releases with the relevant PIO contacts. We regret that we cannot accept new press release submission at present.

Due to our current technical difficulties, the distribution of the embargoed PNAS PIO Tipsheet and advance embargoed copies of PNAS articles for September 19-23 will also be delayed until the site is restored. However, if the issue remains unresolved until the PNAS embargo of Monday, September 19, 3:00 PM US Eastern Time, PNAS will distribute a Tipsheet for immediate release at the time of scheduled publication of the highlighted articles on Monday. We apologize for the inconvenience.

Please email the EurekAlert! team at webmaster@eurekalert.org or 202-326-6716 with any questions or concerns. Thank you for your understanding and support of the extenuating circumstances.

The EurekAlert! Team

Update from EurekAlert!, Sept. 15

As you know, an aggressive September 9 attack on the EurekAlert! website compromised registrants’ usernames and passwords, and resulted in the premature release of two embargoed news releases. The integrity of EurekAlert!’s content and infrastructure remains our primary concern at AAAS. We deeply regret the inconvenience that this hack has caused, and we are taking deliberate steps to restore and strengthen the system.

The AAAS team has been working around the clock to bring EurekAlert! and its vast and unique science-news archive, dating to 1996, back online. We are doing so in a planned and methodical way so that when we do re-launch the site, we will be better-positioned to thwart future attacks. We have rebuilt the EurekAlert! system environment and will continue to put it through intensive cyber-security testing until we are confident that it meets the high level of security and integrity that you have come to expect from EurekAlert!. After the site is re-launched, all registrants will be prompted to create a new password that meets modern standards for password complexity. We are currently optimistic that all of this can be achieved by the weekend.

We recognize that the September 9 hacking incident has caused significant inconveniences for thousands of registered journalists and public information officers who work to communicate science to the public. We look forward to re-launching a greatly improved and more robust EurekAlert! website, which will offer enhanced protection against attacks. We remain grateful for the continuing support of our community.

Ginger Pinholster

Chief Communications Officer and Director, Office of Public Programs

Update from EurekAlert!, Sept. 18

Significant progress has been made toward a full recovery of the EurekAlert! website following the aggressive cyber-attack of September 9.

Through the continuous and painstaking efforts of a large team of IT professionals at AAAS, the entire EurekAlert! system environment has now been rebuilt, and we have subjected it to multiple rounds of cyber-security testing to ensure that it meets the highest standards of security. Some 300,000 news releases in our historic archive, dating to the site’s inception in 1996, have been safely migrated into the new system environment. With these improvements, and as a first step toward the complete re-launch of our science-news service, we are optimistic that we can bring all public pages back online tomorrow.

The integrity of our content and the security of our registrants’ login information remain of paramount concern, and we have therefore made the difficult decision to postpone the re-launch of our restricted-access sections until we can ensure that registrants’ usernames and passwords as well as our journal partners’ embargoed materials will be fully protected from cyber-threats. We do not yet have a date for this step, but we will communicate it to you as soon as it can be confirmed.

Reporters and public information officers have been profoundly inconvenienced by this cyber-attack on EurekAlert!, and we apologize for the continuing disruption in your efforts to communicate science to the public. We will be contacting journals featured on EurekAlert! to offer our any assistance possible in getting press packages to reporters and responding to media requests this week. The Science press packages will roll out to reporter-registrants on time tonight, via e-mail. For the institutions and journal publishers that contribute so much newsworthy content to our website, we will provide an appropriate complementary extension of all annual subscriptions, to reflect the current loss of service.

We pledge to continue working diligently to restore EurekAlert! quickly and responsibly, and  we thank you for the support that you have shown us.

Ginger Pinholster

Chief Communications Officer and Director, Office of Public Programs

American Association for the Advancement of Science

Update from EurekAlert!, Sept. 20

We have re-launched the public sections of the EurekAlert! website, consisting of an archive of some 300,000 science news releases dating back two decades, as a first step towards restoring services following the aggressive cyber-attack of September 9.

While the website is updated with news releases submitted to us prior to our September 12 closure, reporter- and PIO-registrants will not be able to login and no new registrations will be accepted until we complete security upgrades to the restricted-access sections of the site. No new press-release submissions will be accepted at this time.

We are working with our journal partners to provide limited services to reporters while AAAS IT continues to work around-the-clock to bring back the full suite of EurekAlert! services. We will provide further updates as they become available.

Brian Lin

Director, Editorial Content Strategy, EurekAlert!

Update from EurekAlert!, Sept. 23

As we proceed with strengthening and re-launching EurekAlert! in the wake of the September 9 hacking incident, we wanted to give you an update on what steps we are taking, where we stand in the process, and what we’re doing to facilitate the dissemination of science news in this period before full restoration. The EurekAlert! community has been supportive and patient, and we want to be transparent with you about our progress and the remaining steps.

Our public “read-only” pages went back online earlier this week. Embargoed news sections remain offline as our IT team works around the clock to put strong safeguards in place to repel future cyber-attacks. This means that public information officers are still unable to log onto EurekAlert! to submit news releases, and reporters cannot log on to browse potential science-news stories.

We have been persistent in our efforts to facilitate the dissemination of science news, however. EurekAlert! team members have been working closely with journal publishers to distribute embargoed press packages to registered reporters via e-mail, and to connect reporters with public information officers. AAAS has further pledged to provide a complimentary extension of annual subscriptions to reflect the current loss of service to institutions that contribute newsworthy content to our website.

Our IT team has rebuilt the entire EurekAlert! system environment and subjected it to multiple rounds of cyber-security testing. All 300,000 news releases in our archive have been migrated to the new system environment over the past few days – an undertaking that typically takes weeks. Now, the team is putting a redoubled firewall in place to protect the site’s underlying structure and content. They are also repeatedly testing all encrypted connections and strengthening the password protocol. These improvements are being implemented as quickly as possible, but without taking any short-cuts or in any way compromising the rigor of our new security system.

The integrity of our site’s content and the security of our registrants’ login information continue to drive all of our efforts. We have made the difficult decision to remain offline until we can ensure that EurekAlert! meets the highest standards of Internet security. Barring unforeseen challenges, continued improvements may require another week of round-the-clock work.

We know that the site’s continued outage poses challenges for reporters and public information officers who use EurekAlert! as part of their news-gathering efforts. We deeply regret this inconvenience. Please be assured that the re-launch of EurekAlert! is our top priority. We are now on the runway for a successful re-launch, and we know that the new EurekAlert! will be stronger, more secure, and faster than before. We look forward to unveiling it soon. Meanwhile, thank you for hanging in there with us.

Sincerely,

Ginger Pinholster

Chief Communications Officer and Director, Office of Public Programs

American Association for the Advancement of Science

Brian Lin

Director, Editorial Content Strategy, EurekAlert!

Update from EurekAlert!, Oct. 2

The reporter and public information officer (PIO) sections of EurekAlert! are now operational, following an extensive restoration effort in the wake of the September 9 hacking incident.

To resume using the reporter and PIO features, please follow the instructions below to reset your password at your earliest convenience.

We are offering extended business hours to provide assistance today and in the upcoming week. New press releases will be added to the embargoed and breaking news feeds as soon as they are processed. New embargoed journal content will be added to the reporter- and PIO-only areas beginning Monday, Oct 3. The EurekAlert! Express email alert service will resume Monday night.

News releases submitted between Sept. 9 and Sept. 13 will need to be re-submitted, as they were removed during the site rebuild. We apologize for the inconvenience and will re-post these releases as quickly as possible.

We have been grateful for your support during our outage and will reach out to annual subscribers with additional information regarding a service extension. Should you encounter any issues, please don’t hesitate to contact us at webmaster@eurekalert.org or +1-202-326-6716.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s