Cyber Incident Victim: Sizmek Inc.
Date:
Dec 2018
Location:
United States of America
Summary
An online advertising firm experienced a security breach where a hacker gained unauthorized access to a user account within its advertising platform, enabling modification of ad creatives and analytics for major brands. The compromised account, auctioned on a cybercrime forum, allowed potential manipulation of campaigns for clients including media companies and prominent advertisers. While the attacker claimed administrative privileges, the company clarified it was a standard user account. In response, the organization forced password resets for internal employees and initiated audits to remove inactive accounts belonging to former personnel and vendors. The intrusion method remained unconfirmed, though broader industry trends suggested possible credential-based attacks like password spraying. The incident highlighted risks of ad campaign hijacking, malicious code injection, or unauthorized profit diversion through compromised advertising systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late December 2018 or early 2019, Sizmek Inc., a major global advertising network serving over 20,000 advertisers across 70 countries, experienced a security breach involving unauthorized access to its Sizmek Advertising Suite (SAS) platform. The incident came to light when an advertisement appeared on a Russian-language cybercrime forum auctioning access to what the seller claimed was an administrative account for a "big American ad platform," with starting bids at $800. The seller provided screenshots showing user management capabilities—including the ability to add users, edit existing accounts, and modify advertising creatives—alongside Alexa ranking data matching Sizmek's web traffic statistics. Forensic analysis of the screenshots revealed the compromised account(s) belonged to former employees and vendors whose access had not been properly revoked, with identifiable user panels referencing major clients including Fox Broadcasting, Gannett, Hearst Digital, Kohler, and Pandora.
Sizmek's investigation confirmed the breached account was a standard user credential rather than an administrator account, though it retained privileges to alter ad campaign content across client accounts. The company responded by forcing password resets for all internal employees (numbering "a few hundred") and auditing its SAS user database to remove inactive accounts belonging to departed personnel and third-party vendors. General Counsel George Pappachen acknowledged the platform lacked multi-factor authentication for legacy systems, though newer products had implemented mobile/app-based verification. While no confirmed malicious activity was documented, the compromise created risks of ad campaign hijacking, referral commission theft, or injection of malicious code into ads displayed on high-traffic websites. The breach's origin remained undetermined, though security researchers contemporaneously observed increased targeting of corporate accounts via "password spraying" attacks—automated credential guessing using common passwords—and "brute-force light" techniques leveraging compromised IoT devices to test slight password variations. These methods were notably implicated in a separate Citrix breach disclosed around the same timeframe, where Resecurity reported intrusion evidence dating to December 28, 2018. Sizmek's review focused on detecting potential system intrusions stemming from the exposed credentials while emphasizing the operational necessity of rigorous access revocation protocols for former personnel.