Imagine you’re an independent reporter embedded in a war zone. Ever since a rogue nation attacked the country you’re working in, you’ve published a blog with ground truth reporting, firsthand accounts of human rights abuses, profiles of civilian casualties, and troop movements. You’ve built a trusted network throughout the conflict area, and your work has a global reputation so solid, you’ve been cited by United Nations observers. Like many wars, the action sometimes happens at lightning speed, and other times it’s a slow, frozen conflict. And this is a slow news week.
As you’re preparing your weekly newsletter, though, you notice something new on the blog. “Heavy Artillery Moving in from the North, Prompting Immediate Retaliation” reads the headline. You find this deeply confusing – how could this headline be on the top of the page? Why does it have your byline? Who updated your website without telling you? Maybe it was one of your former collaborators.
By the time you click on the link, it’s dead: “404, Page Not Found.” For a minute, you think it was an odd quirk in your hosting platform and go about your work. But when the web traffic report comes in, you’re astounded how many hundreds of thousands of people clicked to your site today. Friends begin sending you screenshots of your website headed with the now-deleted headline, along with images of panicked civilians fleeing for safety up north.
You’ve never changed your passwords, and, indeed, one of your former collaborators let your credentials slip to malicious operatives. Now soldiers and civilians on both sides of the conflict don’t know what’s going on, and people are sure to get hurt.
Several variations of this story happened in 2020 in Poland and Lithuania. Hackers used password vulnerabilities to log into the back ends of several reputable news sites reporting on the tensions between Russia and NATO. Several fake stories were published, including fabricated images of German soldiers desecrating Jewish gravestones.
Though only online for a brief amount of time, attackers shared the stories broadly, propaganda sites cited the stories, and they were copied onto other sites. Analysts fear that the high speed of such planted stories can sow chaos in breaking news situations, leading to lost confidence in elections and even possible violence.
Making sure your passwords remain a tightly-held secret can prevent unwanted access to your public-facing sites. If you change them frequently and implement two-factor authentication, then you give attackers a moving target that’s much more difficult to breach, and you can also prevent old passwords from coming back to haunt you.
This is the best way to keep a hold on your reputation, as well. According to the International Women’s Media Forum and Trollbusters, two-thirds of women journalists have experienced online harassment, and a lot of that has to do with pitting professional and personal obligations against each other. The best way to keep professional and personal separate is by keeping your personal and professional passwords (and accounts) separate. I’ve written about how good cyber hygiene won’t end harassment altogether, but it can be empowering to know your private matters remain private while engaging in high-profile work like journalism.
Check out instructional videos in the “Beyond Simple Passwords” section of the GCA Cybersecurity Toolkit for Journalists for help in creating strong passwords and setting up two-factor authentication in various accounts.