Cyber Incident Victim: Embarcadero Media Group
Date:
Sep 2025
Location:
United States of America
Summary
A hacktivist group claiming affiliation with Anonymous compromised all websites of Embarcadero Media Group, defacing them with a Guy Fawkes mask image and a message accusing *The Almanac* of hosting harmful content while demanding removal under threat of permanent shutdown. The media group's IT team worked overnight to address the breach, involving law enforcement including the FBI, and restored sites by the following evening after mitigating further damage through backups. Subsequent phishing attempts via fake virus warnings targeted visitors during the outage. While the attackers invoked Anonymous' rhetoric, cybersecurity experts questioned the legitimacy of this claim due to the lack of specific grievances and the collective's typical avoidance of media targets. The CEO characterized the incident as a sophisticated attack aimed at causing operational disruption.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 30, 2025, Embarcadero Media Group experienced a cyberattack that disrupted all its websites, including the *Palo Alto Weekly*, *Mountain View Voice*, *Pleasanton Weekly*, and *The Almanac*. The attack began at approximately 10:30 PM on Thursday, September 29, when an individual or group claiming affiliation with Anonymous replaced the websites’ content with an image of a figure wearing a Guy Fawkes mask and a threatening message. The message accused *The Almanac* of hosting harmful content and demanded its removal, warning that failure to comply would result in permanent shutdowns of all Embarcadero Media Group sites. It instructed readers to email CEO Bill Johnson with removal requests and concluded with Anonymous’ signature phrase: “We do not forgive, we do not forget, we are legion.” Staff at the affected publications, including *Palo Alto Weekly* Editor Jocelyn Dong, stated they were unaware of the specific content referenced in the hackers’ demands.
Embarcadero Media Group’s IT team worked overnight to investigate the breach, while the Palo Alto Police Department was notified to initiate an investigation. By Friday morning, a former employee shared a screenshot of the defaced *Mountain View Voice* site on Facebook, confirming the attack’s scope. During the downtime, visitors attempting to access the sites encountered a fraudulent pop-up warning of a virus infection and urging users to call a phishing phone number. The websites were restored by Friday evening, with CEO Bill Johnson describing the incident as a “sophisticated and elaborate attack” mitigated by the company’s backups and IT response. The FBI joined the investigation, and cybersecurity experts like Forbes’ Parmy Olson cast doubt on Anonymous’ involvement, citing the lack of specific grievances and the group’s historical reluctance to target media outlets. No further disruptions were reported after restoration, though the motive and identity of the attackers remained unclear.