Cyber Incident Victim: CNET
Date:
Jul 2014
Location:
Russia
Summary
A Russian hacker group known as W0rm breached servers belonging to CNET, compromising a database containing usernames, email addresses, and encrypted passwords for over one million users. The attackers exploited a security vulnerability in the site's implementation of the Symfony PHP framework, later claiming the intrusion aimed to raise awareness about security flaws rather than for financial gain, despite initially offering the stolen data for sale. CBS Interactive, CNET's parent company, acknowledged unauthorized access to several servers and stated the issue had been resolved while continuing to monitor for potential impacts. The group, which cited altruistic motives and prior high-profile breaches, withheld full exploit details, with security experts noting this approach could mitigate risks to affected users.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 14, 2014, CNET reported that the Russian hacker collective W0rm claimed responsibility for breaching its servers over the preceding weekend. The attackers asserted they stole a database containing usernames, email addresses, and encrypted passwords, later claiming this data encompassed over one million user accounts. A CBS Interactive spokeswoman confirmed unauthorized access to "a few servers," stating the compromise had been identified and resolved days prior to the public disclosure, with ongoing monitoring for potential impacts. W0rm representatives communicated via Twitter and direct messages with CNET News, initially offering to sell the database for one bitcoin (approximately $622) on July 14 but later clarifying this was solely to attract attention rather than a genuine commercial intent. The group stated they had no plans to decrypt passwords or finalize any sale.

Technical analysis revealed the attackers exploited a security vulnerability in CNET.com’s implementation of the Symfony PHP framework, a widely used web development tool. W0rm framed their actions as altruistic, targeting high-traffic sites like CNET—which recorded 27.1 million U.S. unique visitors in June 2014—to expose security flaws and improve internet safety. The group cited prior breaches of Adobe Systems, Bank of America, and BBC in late 2013 as part of this pattern. Web security expert Robert Hansen noted W0rm’s restraint in withholding specific exploit details and alerting the public about the compromise, suggesting the incident might ultimately benefit security awareness despite its disruptive nature. CBS Interactive properties, including CNET, ranked as the ninth-most-visited U.S. web destinations during May 2014, amplifying the breach’s visibility. The hackers acknowledged CNET’s security team’s competence while emphasizing unavoidable vulnerabilities in complex systems.
