The daily newspaper’s digital customers taz On December 23rd, there was no good news: The e-mail address for managing the subscribers to the app and the digital edition (ePaper) of the newspaper had been hacked, the sales company let possible victims know by e-mail shortly before Christmas. The criminals would have been able to access data such as name, address, email address and the identifier to download the digital taz.
Initially, the publisher could not say which of the emails and other IDs stored on “[email protected]” were spied out. On Monday presented one taz-Speaker opposite heise online now it is clear that the attackers had “caught” several thousand email addresses “with a token for downloading the digital edition.” According to her, the hackers cracked the password of the “[email protected]” mailbox using a botnet and then downloaded e-mails from this mailbox.
“The attackers were able to crack the password by trying all possible combinations of characters (” dictionary attack “),” explained the spokeswoman. This was only possible because the attack was “large-scale” and came from over 700 different IP addresses.
Password too easy
the taz had previously pointed out in the warning that their own “high security standards” had been undermined. The spokeswoman now admitted: “The complexity of the password was not high enough for the professional hackers.” The access variable was immediately replaced by a more complex passphrase.
The publisher has the taz-According to the representative, he also reported the incident and has now reported the incident to the Berlin supervisory authority in accordance with the provisions of the General Data Protection Regulation (GDPR). A spokesman for the capital’s data protection authority confirmed to heise online that the data breach report from the taz was received on December 23rd. This is currently being checked and “if necessary, inquiries regarding the measures taken and the storage period will be made”. A further evaluation is currently not possible.
The taz also explains that they are looking for other possible security gaps together with IT experts in order to close them. The warning from the day before Christmas Eve also said: “If you receive e-mails from the taz (have) received, in which you are asked to click on a link or to call up a page that does not clearly belong to the domain taz.de, delete this mail. Swinging journalism.