Update: Explore Minnesota's Facebook hack nightmare is over

But why was the tourism agency targeted? And how did someone take control?

A spam-pushing hacker's daylong takeover of the Explore Minnesota Facebook account is over.

Someone took full control of the account Monday morning, and for about five hours starting at 11:30 a.m. bombarded the popular tourism agency page with hyperlinks to bogus or sensationalized posts on a website called newsprovidr.com.

At least 25 hyperlinks were published. Some had a few dozen shares, and one (about a morgue worker being cremated while napping) was shared more than 250 times, inadvertently spreading the damage further..

Facebook shortly after 3 p.m. identified an account that had blocked access to the Explore Minnesota page, according to agency spokesperson Alyssa Hayes. By about 4:30 p.m. that bad actor had been cut out, and Explore Minnesota restored as the administrator, a statement from Explore Minnesota said. 

MNIT, the state's agency in charge of IT, is helping put security measures back in place for the page. And now that account control is back in the hands of the rightful owner, MNIT's plan is to start reverse engineering things to try to figure out what might have happened, MNIT Chief Information Security Officer Aaron Call told GoMN.


5 things you should take away from the Explore Minnesota Facebook hack

The Explore Minnesota Facebook page was run with a single account, Hayes said, and a lone social media manager was generally the only person with the password and direct access to post content. 

Hayes said they're working with MNIT still to investigate. How an attacker managed to gain full control isn't known yet.

Call said one of the most likely scenarios is a compromised password. That could be through a phishing email (an increasingly common method, which even Netflix was hit by recently) or a user's password getting out there through another breach or hack.

What's the motive?

In its afternoon update, Explore Minnesota promised to get back to posting the usual travel information soon, adding: "We thank our loyal 226,000+ Facebook fans for their patience and understanding today."

Those followers could be one of the key reasons to understanding a motive. 

Nothing has been officially determined at this point, but Call said there are some early indicators – based on his experience – that the point of the takeover was to drive clicks to a specific site, an increasingly common strategy. In this case, newsprovidr.com.

Explore Minnesota has a lot of Facebook followers, and if an attacker can direct some of that built-in user base to a website that runs advertisements, they can make a quick buck as the page views pile up, he explained.

And those types of popular accounts are "always going to be highly targeted, because it’s the fastest way to get any garbage you’re trying to disseminate out,” he added.

In addition, Call said the samples MNIT looked at haven't "turned up anything that contains malware" – but that isn't a definite, and a site that looks to be mainly a click-driver could have other aims as well that aren't immediately obvious.

There also hasn't been any sign the attack was wider in scope than the single Facebook page. Nor does it bear a resemblance to previous attacks, such as the politically-motivated MSU Moorhead breach.

"Until we’ve unraveled a little bit more, if we can ever get attribution to who did it, we might know more," he said. "But again, just playing off of professional experience and odds, this is most likely just a non-targeted opportunistic attack."

Read the original story from Monday morning below.

Hackers take control of Explore Minnesota's Facebook account

The Essentials

– Hackers turned Explore Minnesota's Facebook page into a spam-flinging account Monday morning, posting six obviously tabloid-y stories in less than 45 minutes.

– The first spam post went up at 11:45 a.m.:

In the following 90 minutes or so, the page had posted 11 additional links to fake stories, such as:

– On Twitter, Explore Minnesota said it was "looking into the matter." But spokesperson Alyssa Hayes told GoMN that whoever got into the Facebook account took full control, and is blocking employees from getting back into the Explore Minnesota Facebook page.

The Big Picture

While the exact nature of the issue hasn't been confirmed, Hayes told GoMN it appears to be a "hack/cyberattack." Explore Minnesota's social team is working directly with Facebook to sort it out, she said.

The spam posts appear to direct users to newsprovidr.com, a site that features clicky spam garbage. Hayes said anyone who comes across the posts should not click the links, and suggested they can also report the post as spam to Facebook.

Explore Minnesota's Twitter account and website appear as normal, and Hayes said the intrusion (at this point) appears limited to just the Facebook page.

MNIT is the state agency in charge of every tech-related need for thousands of state computers and servers. (We've reached out to them for comment but haven't heard back yet.)

The agency has said it fends off 3 million attempted cyber attacks every day

There have been a few recent high-profile attempts, including a computer breach at a popular state park in September, and an attack on Minnesota government and MSU Moorhead servers that pilfered email addresses, encrypted passwords, and user IDs.

MNIT this year asked lawmakers for significantly more funding to make upgrades, including replacing outdated computers and making sure systems are monitored 24/7.

They didn't get what they'd wanted, prompting Gov. Mark Dayton to mention the lack of new cybersecurity money as one of the "extremely disappointing" omissions in the final bill.

Next Up

Screen Shot 2021-10-20 at 6.42.51 AM

Boy, 15, undergoes surgery after being shot near south Mpls. park

The 15-year-old was transported to HCMC and was taken into surgery.

i-94 crash st. michael - 2021.10.19

Maple Grove man ID'd as victim of fatal crash on I-94

That side of the freeway was closed for a few hours on Tuesday afternoon.

Joel Eriksson Ek

Eriksson Ek's hat trick completes Wild's rally over Jets

A late review helped the Wild win their home opener.

Screen Shot 2021-10-19 at 8.11.35 PM

Watch: Marcus Foligno starts fight with a superman punch

Foligno was not messing around in the first period.

Union Gospel Mission graffiti side by side - Duluth PD

Vandals target longstanding Duluth soup kitchen, transitional housing site

Union Gospel Mission has been operating in the city since 1922.

House for sale

The crazy Twin Cities housing market is showing signs of slowing down

Agents are seeing fewer multiple offers and no inspections are less prevalent.

Ben Simmons

Simmons' reunion with 76ers lasts mere days, chance for Wolves?

Woj says the Sixers remain "steadfast" in their plans for Simmons.

mitchell ottinger

Sub teacher involved in 'sextortion' of more than 10 minors pleads guilty

Some of the minors he knew from the school district where he worked.

flickr ice castles new brighton 2020 - Greg Gjerdingen

The Ice Castles, a winter favorite, are coming back to the Twin Cities

The popular attraction was canceled last winter due to COVID.

joey meatballs

4 new vendors coming to Rosedale's POTLUCK food hall

Three restaurants and a VR company are opening soon.

flickr - Lorie Shaull - Line 3 pipeline Palisade July 2021

Enbridge misses deadline to fix its groundwater blunder

The company had 30 days to stop the leak it caused by not following its submitted plans.

wikimedia commons - the beach boys 2019 - joergens.mi

Beach Boys bringing 2021 holiday tour to Minnesota

The iconic band's "Holiday Harmonies" tour stops at Treasure Island just before the new year.


5 things you should take away from the Explore Minnesota Facebook page hack

What you should (and shouldn't) do to keep your accounts safe.

How big a deal is this hack of Minnesota government and MSU Moorhead servers?

Email addresses, encrypted passwords, user IDS – what someone could do with the information.

Chipotle's payment systems were hacked – see if the one you go to was hit

Malware got into the register and card payment systems and scraped up info.

WikiLeaks leak claims CIA can get past phone encryption, hack into Smart TVs

This leak of more than 8,000 files has not been authenticated – though it appears legitimate.

Hackers took control of both HBO's and PlayStation's Twitter accounts

The group OurMine took control of their social media accounts.

How safe from a ransomware attack are Minnesota's government computers?

WannaCry ransomware has been detected across more than 200,000 computers in 100-plus countries. So how protected is Minnesota?

Facebook Messenger just made stalking your friends easier

Let your friends stare at you walking around in real-time for an hour.