Cyber Incident Victim: The Standard Hong Kong
Date:
Dec 2016
Location:
Hong Kong
Summary
Hackers breached a Hong Kong newspaper's website by exploiting a SQL injection vulnerability in its CMS, accessing databases containing approximately 12,000 users. The attackers leaked partial customer and employee records—approximately a quarter of the total data—publicly disclosing confidential information while withholding the majority due to legal concerns. They claimed the intrusion aimed to expose cybersecurity weaknesses and embarrass the organization, emphasizing their intent to raise institutional awareness rather than pursue full data exposure. The perpetrators, affiliated with past cyberattacks against government entities, described the compromised data as highly sensitive and justified their actions as a demonstration of inadequate security practices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On December 24, 2016, hackers operating under the aliases @Cryptolulz666 and @EvoIsGod publicly disclosed a breach of The Standard Hong Kong newspaper’s website (thestandard.com.hk). The attackers exploited a SQL injection vulnerability in the website’s content management system (CMS) to gain unauthorized access to its database. They extracted approximately 12,000 user records but published only a quarter of this data on Pastebin, citing legal concerns as the reason for withholding the remainder. The leaked information included tables labeled "Customers" and "Employees," which the hackers described as containing confidential details warranting privacy protection. @Cryptolulz666 confirmed the breach in communications with a Security Affairs reporter, emphasizing that the attack aimed to expose inadequate cybersecurity practices rather than maximize data exposure. No internal detection mechanisms or containment efforts by The Standard were documented in the available sources, leaving the timeline between initial compromise and public disclosure unclear.
The attackers identified themselves as cybersecurity activists seeking to "embarrass institutions" by highlighting vulnerabilities, specifically referencing the SQL injection flaw as a "silly" oversight. @Cryptolulz666, a self-described former member of the "Powerful Greek Army" hacking group, had prior involvement in attacks against government entities, including DDoS campaigns targeting an Italian government visa website and a Russian Federal Drug Control Service liquidation commission site. The breach’s confirmed impacts were limited to the partial data leak, with no recorded disruptions to website operations or additional post-incident actions by The Standard. Public exposure occurred exclusively through Pastebin and the hackers’ Twitter accounts, with no verified reports of secondary data misuse. The incident underscored the persistence of basic web application vulnerabilities in media infrastructure and the operational risks posed by ideologically motivated attackers prioritizing reputational damage over financial gain.