Two Atlantic Media Employees Were Hacked This Morning

 Two Atlantic Media Employees Were Hacked This MorningAtlantic Media is continuing in its valiant effort to ward off hacking attempts after 123 staffers failed last week’s hacking drill.

In an email to employees this morning, chief technology officer Tom Cochran noted that a number of Atlantic employees have seen their email accounts hacked, including two just this morning.

Fortunately, he told The Observer, those attacks appear to be “crimes of opportunity,” not “targeted attacks” designed to get into Atlantic Media’s corporate system, and he set the employees up with two-step authentication after resetting their passwords.

“Don’t allow yourself to be hacked at the expense of compromising your sources or your professional credibility,” Mr. Cochran wrote today.trans Two Atlantic Media Employees Were Hacked This Morning

Mr. Cochran announced that everyone on staff will be required to add two-step authentication—which requires those who access a Gmail account to enter both their password (the first step) and a special code sent only to their phone (the second step)—to their Google accounts by June 30th. Already, he wrote, about half of the company has done so.

James Fallows, The Atlantic‘s longtime national correspondent, endorsed the system in his own email to Atlantic Media staff.

“If the people getting this note are anything like journalists in general, our initial response will be an eye-rolling ‘Oh, great, another security hassle,'” Mr. Fallows wrote. But it is worth it.

Mr. Fallows has been encouraging people to use two-step authentication since 2011, when his wife’s Gmail account was hacked and she nearly lost seven years’ worth of emails. “This is a really good move by the Atlantic,” he wrote in the email, “and you are nuts if you don’t also apply this protection to your personal email accounts.”

Here is the full email from Mr. Fallows:

From: James Fallows
To: Tom Cochran
Cc: Everyone at Atlantic Media
Date: Tuesday, June 4, 2013 11:30:39 AM
Subject: Re: Improving Atlantic Media security with 2-step authentication

If the people getting this note are anything like journalists in general, our initial response will be an eye-rolling “Oh, great, another security hassle.” And so on.

Tom didn’t ask me to send this note, but I am piling on to say: this is a really good move by the Atlantic, and you are nuts if you don’t also apply this protection to your personal email accounts. Including, if you now use a mail system that doesn’t have two-step protection, changing to a different provider, preferably Gmail. Details:
  • At that time, Google was just beginning to roll out their two-step security system. This was expensive for them to do and to maintain, but their argument was: it is by far the best protection against remote hacking.
  • USING IT IS EASIER THAN IT SEEMS. In practice (a) you install an app on an iPhone, Android, or other device, which keeps generating authentication codes even if you have no cell phone signal at all, and (b) Once every 30 days (in some circumstances, only one time, ever) you enter that code on your computer to verify your identity to Gmail. Also (c) for some apps, including your phone-based mail accounts, you enter a one-time-only code.
  • IT IS NOT SECURITY THEATER. It is actual security. If you use this system, it is *virtually* impossible for someone to hack your email account — and thus, from your Atlantic account, to enter our the whole corporate system — from some remote location. What has happened to the NYT and other organizations, of having their corporate email penetrated by either criminals or foreign governments/sources, in all probability could not have happened if they’d applied this approach.

So, I am as big a skeptic of normal security hassles, and spreading security-theater, as anyone. But the attempts to get into our corporate network are for real, and this is a genuine, very highly effective protection.  I now return you to Tom Cochran for  further tech info.

Jim Fallows
Article continues below
More from Politics
STAR OF DAVID OR 'PLAIN STAR'?   If you thought "CP Time" was impolitic, on July 2 Donald Trump posted a picture on Twitter of a Star of David on top of a pile of cash next to Hillary Clinton's face. You'd think after the aforementioned crime stats incident (or after engaging a user called "@WhiteGenocideTM," or blasting out a quote from Benito Mussolini, or...) Trump would have learned to wait a full 15 seconds before hitting the "Tweet" button. But not only was the gaffe itself bad, the attempts at damage control made the BP oil spill response look a virtuoso performance.  About two hours after the image went up on Trump's account, somebody took it down and replaced it with a similar picture that swapped the hexagram with a circle (bearing the same legend "Most Corrupt Candidate Ever!"!). Believe it or not, it actually got worse from there. As reports arose that the first image had originated on a white supremacist message board, Trump insisted that the shape was a "sheriff's star," or "plain star," not a Star of David. And he continued to sulk about the coverage online and in public for days afterward, even when the media was clearly ready to move on. This refusal to just let some bad press go would haunt him later on.
Donald Trump More Or Less Says He’ll Keep On Tweeting as President