Skip to main content

Update: Explore Minnesota's Facebook hack nightmare is over

But why was the tourism agency targeted? And how did someone take control?

A spam-pushing hacker's daylong takeover of the Explore Minnesota Facebook account is over.

Someone took full control of the account Monday morning, and for about five hours starting at 11:30 a.m. bombarded the popular tourism agency page with hyperlinks to bogus or sensationalized posts on a website called

At least 25 hyperlinks were published. Some had a few dozen shares, and one (about a morgue worker being cremated while napping) was shared more than 250 times, inadvertently spreading the damage further..

Facebook shortly after 3 p.m. identified an account that had blocked access to the Explore Minnesota page, according to agency spokesperson Alyssa Hayes. By about 4:30 p.m. that bad actor had been cut out, and Explore Minnesota restored as the administrator, a statement from Explore Minnesota said. 

MNIT, the state's agency in charge of IT, is helping put security measures back in place for the page. And now that account control is back in the hands of the rightful owner, MNIT's plan is to start reverse engineering things to try to figure out what might have happened, MNIT Chief Information Security Officer Aaron Call told GoMN.


5 things you should take away from the Explore Minnesota Facebook hack

The Explore Minnesota Facebook page was run with a single account, Hayes said, and a lone social media manager was generally the only person with the password and direct access to post content. 

Hayes said they're working with MNIT still to investigate. How an attacker managed to gain full control isn't known yet.

Call said one of the most likely scenarios is a compromised password. That could be through a phishing email (an increasingly common method, which even Netflix was hit by recently) or a user's password getting out there through another breach or hack.

What's the motive?

In its afternoon update, Explore Minnesota promised to get back to posting the usual travel information soon, adding: "We thank our loyal 226,000+ Facebook fans for their patience and understanding today."

Those followers could be one of the key reasons to understanding a motive. 

Nothing has been officially determined at this point, but Call said there are some early indicators – based on his experience – that the point of the takeover was to drive clicks to a specific site, an increasingly common strategy. In this case,

Explore Minnesota has a lot of Facebook followers, and if an attacker can direct some of that built-in user base to a website that runs advertisements, they can make a quick buck as the page views pile up, he explained.

And those types of popular accounts are "always going to be highly targeted, because it’s the fastest way to get any garbage you’re trying to disseminate out,” he added.

In addition, Call said the samples MNIT looked at haven't "turned up anything that contains malware" – but that isn't a definite, and a site that looks to be mainly a click-driver could have other aims as well that aren't immediately obvious.

There also hasn't been any sign the attack was wider in scope than the single Facebook page. Nor does it bear a resemblance to previous attacks, such as the politically-motivated MSU Moorhead breach.

"Until we’ve unraveled a little bit more, if we can ever get attribution to who did it, we might know more," he said. "But again, just playing off of professional experience and odds, this is most likely just a non-targeted opportunistic attack."

Read the original story from Monday morning below.

Hackers take control of Explore Minnesota's Facebook account

The Essentials

– Hackers turned Explore Minnesota's Facebook page into a spam-flinging account Monday morning, posting six obviously tabloid-y stories in less than 45 minutes.

– The first spam post went up at 11:45 a.m.:

In the following 90 minutes or so, the page had posted 11 additional links to fake stories, such as:

– On Twitter, Explore Minnesota said it was "looking into the matter." But spokesperson Alyssa Hayes told GoMN that whoever got into the Facebook account took full control, and is blocking employees from getting back into the Explore Minnesota Facebook page.

The Big Picture

While the exact nature of the issue hasn't been confirmed, Hayes told GoMN it appears to be a "hack/cyberattack." Explore Minnesota's social team is working directly with Facebook to sort it out, she said.

The spam posts appear to direct users to, a site that features clicky spam garbage. Hayes said anyone who comes across the posts should not click the links, and suggested they can also report the post as spam to Facebook.

Explore Minnesota's Twitter account and website appear as normal, and Hayes said the intrusion (at this point) appears limited to just the Facebook page.

MNIT is the state agency in charge of every tech-related need for thousands of state computers and servers. (We've reached out to them for comment but haven't heard back yet.)

The agency has said it fends off 3 million attempted cyber attacks every day

There have been a few recent high-profile attempts, including a computer breach at a popular state park in September, and an attack on Minnesota government and MSU Moorhead servers that pilfered email addresses, encrypted passwords, and user IDs.

MNIT this year asked lawmakers for significantly more funding to make upgrades, including replacing outdated computers and making sure systems are monitored 24/7.

They didn't get what they'd wanted, prompting Gov. Mark Dayton to mention the lack of new cybersecurity money as one of the "extremely disappointing" omissions in the final bill.

Next Up

Screen Shot 2022-09-21 at 6.02.37 PM

Charges: Serial trespasser accused of making U of M bomb threat

Ahmed Mohamed Umar has been charged with one count of threats of violence with explosives or an incendiary device.

Minneapolis police

Man, police officer involved in fatal Minneapolis incident identified

A witness says the man who exchanged gunfire with police shot himself.

Johnathan Anderl

Minneapolis police appeal to find missing 39-year-old man

The man, who has autism, was last seen near the MacPhail Center for Music.

Screen Shot 2022-09-22 at 3.06.25 PM

Minneapolis rolls out new crime-reducing plan, but provides little detail

"Operation Endeavor" is a collaboration between multiple agencies.

Screen Shot 2022-04-25 at 11.00.01 AM

Walz hopes for investigation into judge in Feeding Our Future case

The governor said he was "speechless" by the judge's initial decision.

ABC ramps-Nov2020-039-small

Commuter alert: Parking in Minneapolis just got cheaper!

FlexPass offers flexible parking downtown at Ramp A


Omicron subvariants BA.4.6, BA.2.75.2 drawing attention in MN

Health officials in Minnesota are paying special attention to BA.4.6.

Ambulance Hennepin Healthcare

Man dies after shooting in south Minneapolis

The shooting was reported at 9:20 a.m.

Screen Shot 2022-09-22 at 12.48.13 PM

Texas company buys Roseville's Har Mar Mall for $50 million

The mall is home to a Cub Foods and a Burlington, among other stores.

DPS John Harrington

Increased state police presence in Twin Cities to stay till year's end

Topics included HEAT patrols, violent crime, fentanyl and street racing.


5 things you should take away from the Explore Minnesota Facebook page hack

What you should (and shouldn't) do to keep your accounts safe.

How big a deal is this hack of Minnesota government and MSU Moorhead servers?

Email addresses, encrypted passwords, user IDS – what someone could do with the information.

Chipotle's payment systems were hacked – see if the one you go to was hit

Malware got into the register and card payment systems and scraped up info.

WikiLeaks leak claims CIA can get past phone encryption, hack into Smart TVs

This leak of more than 8,000 files has not been authenticated – though it appears legitimate.

Hackers took control of both HBO's and PlayStation's Twitter accounts

The group OurMine took control of their social media accounts.

How safe from a ransomware attack are Minnesota's government computers?

WannaCry ransomware has been detected across more than 200,000 computers in 100-plus countries. So how protected is Minnesota?

Facebook Messenger just made stalking your friends easier

Let your friends stare at you walking around in real-time for an hour.