Cyber Incident Victim: Google News
Date:
Jun 2017
Location:
United States of America
Summary
Google News experienced a compromise where its Health section displayed spam advertisements for pharmaceuticals and dating services instead of legitimate news content. Hackers altered article previews, headlines, and thumbnail images from verified publishers to promote illicit goods and events, though the underlying news sources remained authentic. The incident was reported by a third-party industry outlet, prompting Google to attribute the issue to publisher-side breaches. One affected publisher confirmed a prior website intrusion involving malicious redirects and extensive file corruption, requiring search engines to re-crawl its domain to purge compromised links. The platform reiterated that its algorithmic curation process—based on content freshness, diversity, and originality—lacks human editorial oversight.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 12, 2017, Google News experienced a widespread spam injection attack affecting all users accessing its Health section. Legitimate news sources approved by Google News—including magazines, local news outlets, and TV channels—had their article listings altered to display unauthorized advertisements. The compromised search results replaced original headlines, thumbnail images, and article previews with spam promoting Canadian pharmacy websites selling Viagra and other drugs, alongside ads for free Jewish speed-dating events in Los Angeles. The attack exclusively targeted the Health category on news.google.com, with no evidence of impact on other sections. Despite the diverse and unrelated nature of the affected publishers, all hijacked listings shared identical spam content, suggesting coordinated manipulation of multiple independent sources. The incident persisted for an undetermined duration before detection, during which users encountered these fraudulent listings instead of legitimate health news.
Search Engine Land first identified the hijacked listings and reported the issue to Google, which subsequently resolved the compromised article displays. Google attributed the incident to publisher-side vulnerabilities rather than a direct breach of its platform. One confirmed victim, Palate Press, disclosed it had been hacked on June 10—two days prior to the Google News incident—with attackers injecting thousands of malicious files that redirected visitors to spam links. The publisher required two days to purge these files and subsequently requested Google and Bing to recrawl its site to remove residual malicious links from search indexes. While Google confirmed its algorithms automatically curate news based on freshness, originality, and textual richness without human editorial oversight, the incident exposed unresolved questions about how attackers simultaneously compromised multiple unrelated publishers to manipulate Google News outputs. No additional publisher breaches or technical details about the attack vector were publicly confirmed.