London’s Metropolitan Police has admitted that its public-facing news platform was compromised last Friday evening, leading to the publication of a string of offensive messages on Twitter.
Observers first noticed something was wrong after the Met’s Twitter feed, which has over one million followers, started to issue some bizarre messages at around 11pm.
These included missives such as “F*** THE POLICE FREE DA GANG!!,” “what you gonna do phone the police?,” and “XEON IS THE BEST FIGHTER IN SCOTLAND.”
It was later revealed that the incident wasn’t related to a compromise of the police force’s Twitter account but rather its Mynewsdesk platform.
The Met apologized to its subscribers and followers for the messages – which continued for the best part of an hour.
“The site is a micro site that is used to publish and distribute news from the Metropolitan Police. It can be used to generate emails and to send Tweets as well as publishing stories. The unauthorized content was sent out on Twitter and via email as well as appearing on the news site,” it explained in a statement.
“In response to the incident we are working closely with Mynewsdesk and specialist Met cyber-crime investigators to fully understand what has occurred and if there are criminal offenses. Immediate changes have been made to our accounts in response to the incident. There has been no compromise of the Met Police’s IT network.”
Donald Trump blamed London mayor Sadiq Khan for the incident, after retweeting a post by right-wing commentator Katie Hopkins.
The Met was also forced temporarily to use its @MPSOnTheStreet Twitter account rather than the main @MetPoliceUK account, while it sorted the problem out.
The incident is a reminder for organizations to improve log-in security across public-facing sites, according to Stuart Sharp, global director of solution engineering at OneLogin.
“Whether it is marketing departments, sales teams, or DevOps, it is all too easy to start using a service and then just share credentials among a team. These passwords exist on Post-It notes, spreadsheets and emails and it seems that no one ever changes the password when a team member leaves the organization,” he argued.
“IT needs to communicate the security implications of using these services to line of business in an uncontrolled manner. Technically it’s not hard to do – organizations just have to take security more seriously.”