Cyber Incident Victim: United Press International

On or around February 8, 2017, a threat actor using the alias "zerodark70" advertised a database containing 83,000 compromised user accounts from UPI.com for sale on the AlphaBay dark web marketplace. The dataset included email addresses, real names, and passwords hashed with the outdated and vulnerable MD5 algorithm. The seller claimed samples of the stolen data to potential buyers, though these samples were incomplete, leaving the full scope of the breach unclear. CyberScoop independently verified the authenticity of the data by contacting victims identified in the samples. The seller claimed that the data had not been previously published and offered the entire database for approximately $100 in bitcoin. Notably, the seller had already cracked some of the hashed passwords, increasing the risk of credential misuse.

UPI responded to the breach by removing login pages and entire sections of its website, particularly those related to its global media development division (UPI), which managed accounts for international students and faculty. The organization also alerted its entire email subscriber base about the incident on February 7, 2017, one day before CyberScoop’s public report. The compromised accounts encompassed tens of thousands of email subscribers, current and former executives, journalists, and employees from recent years. This incident posed heightened risks given UPI journalists’ frequent with high-profile U.S. officials in defense and energy sectors, making them attractive targets for adversaries. The 2017 incident followed a prior security incident in 2015, when attackers—allegedly by a UPI IT director to be the Syrian Electronic Army—hijacked the agency’s Twitter account to falsely announce World War III, requiring hours to rectify.