Two Atlantic Media Employees Were Hacked This Morning

 Two Atlantic Media Employees Were Hacked This MorningAtlantic Media is continuing in its valiant effort to ward off hacking attempts after 123 staffers failed last week’s hacking drill.

In an email to employees this morning, chief technology officer Tom Cochran noted that a number of Atlantic employees have seen their email accounts hacked, including two just this morning.

Fortunately, he told The Observer, those attacks appear to be “crimes of opportunity,” not “targeted attacks” designed to get into Atlantic Media’s corporate system, and he set the employees up with two-step authentication after resetting their passwords.

“Don’t allow yourself to be hacked at the expense of compromising your sources or your professional credibility,” Mr. Cochran wrote today.trans Two Atlantic Media Employees Were Hacked This Morning

Mr. Cochran announced that everyone on staff will be required to add two-step authentication—which requires those who access a Gmail account to enter both their password (the first step) and a special code sent only to their phone (the second step)—to their Google accounts by June 30th. Already, he wrote, about half of the company has done so.

James Fallows, The Atlantic‘s longtime national correspondent, endorsed the system in his own email to Atlantic Media staff.

“If the people getting this note are anything like journalists in general, our initial response will be an eye-rolling ‘Oh, great, another security hassle,'” Mr. Fallows wrote. But it is worth it.

Mr. Fallows has been encouraging people to use two-step authentication since 2011, when his wife’s Gmail account was hacked and she nearly lost seven years’ worth of emails. “This is a really good move by the Atlantic,” he wrote in the email, “and you are nuts if you don’t also apply this protection to your personal email accounts.”

Here is the full email from Mr. Fallows:

From: James Fallows
To: Tom Cochran
Cc: Everyone at Atlantic Media
Date: Tuesday, June 4, 2013 11:30:39 AM
Subject: Re: Improving Atlantic Media security with 2-step authentication

If the people getting this note are anything like journalists in general, our initial response will be an eye-rolling “Oh, great, another security hassle.” And so on.

Tom didn’t ask me to send this note, but I am piling on to say: this is a really good move by the Atlantic, and you are nuts if you don’t also apply this protection to your personal email accounts. Including, if you now use a mail system that doesn’t have two-step protection, changing to a different provider, preferably Gmail. Details:
  • At that time, Google was just beginning to roll out their two-step security system. This was expensive for them to do and to maintain, but their argument was: it is by far the best protection against remote hacking.
  • USING IT IS EASIER THAN IT SEEMS. In practice (a) you install an app on an iPhone, Android, or other device, which keeps generating authentication codes even if you have no cell phone signal at all, and (b) Once every 30 days (in some circumstances, only one time, ever) you enter that code on your computer to verify your identity to Gmail. Also (c) for some apps, including your phone-based mail accounts, you enter a one-time-only code.
  • IT IS NOT SECURITY THEATER. It is actual security. If you use this system, it is *virtually* impossible for someone to hack your email account — and thus, from your Atlantic account, to enter our the whole corporate system — from some remote location. What has happened to the NYT and other organizations, of having their corporate email penetrated by either criminals or foreign governments/sources, in all probability could not have happened if they’d applied this approach.

So, I am as big a skeptic of normal security hassles, and spreading security-theater, as anyone. But the attempts to get into our corporate network are for real, and this is a genuine, very highly effective protection.  I now return you to Tom Cochran for  further tech info.

Jim Fallows