How Ámbito was hacked: What is defacement and everything we know about the attack

The attack on the Ámbito newspaper website once again brought to the forefront a type of hacking that is becoming increasingly common in media outlets, public bodies and digital platforms: defacement , a technique that does not aim to steal information or obtain financial gain, but rather to modify the visible content of a page to leave a message .

The incident occurred on Friday morning, days after the Supreme Court upheld Cristina Kirchner's conviction for corruption in the Highways case.

For a brief period, the front page of the website specializing in economics and business was completely altered: photos of skulls, messages against the former president , and slogans like "#CFKPRESA" and "#CFKCHORRA" dominated the headlines of several articles. All of this was signed by a group identifying itself as @gov.eth , a name already well-known in the Argentine cyberactivism scene.

The newspaper confirmed that the attack was a defacement attack, a method that involves accessing the site's administration panel and replacing its original content with other text, images, or videos. "It massively modified the content," they explained in an official statement, in which they also apologized to readers and advertisers.

The name @gov.eth is not new. In recent months, this user has claimed responsibility for hacking various news sites, such as Perfil.com and La Unión Digital de Catamarca, as well as the official Argentine government website , argentina.gob.ar , at the end of 2024.

In an interview with Clarín , one of the attackers identified himself by that alias and asserted that there was no political motive behind his actions. "We're two kids who were bored and we were able to do it," he said at the time, explaining that he works in digital marketing but carries out these attacks "as a hobby."

According to his testimony, in some of the previous hacks, they managed to enter the system using credentials leaked on the government's own test pages. Since the servers didn't have second-factor authentication enabled, simply entering a username and password was enough to access the backend , the dashboard that manages the site's content.

Although the exact nature of the breach in this latest attack has yet to be confirmed, Ámbito itself acknowledged that the attackers accessed the list of usernames and passwords , allowing them to modify the contents massively. Everything points, as in previous cases, to a possible credential leak or a failure in the system's basic security measures .

The most illustrative example is the attack on argentina.gob.ar last December. The attackers revealed that the server lacked a second-factor authentication (also known as 2FA or MFA), a measure that allows a user's identity to be verified with an additional code—sent to a cell phone, an app, or via biometrics—and which acts as an additional security barrier .

"We accessed the site using a leaked credential we obtained from a government test site and used the same login to log into the backend of argentina.gob.ar," gov.eth explained at the time. From there, they escalated permissions and took control of the system.

Unlike other more complex or financially motivated cyberattacks, defacement is a form of "digital vandalism." The goal is to alter the appearance of a site to convey a message, leave a mark, or simply demonstrate that it can be done. Generally, no information is stolen or malware installed , although that doesn't mean it doesn't pose a risk.

The technique involves accessing the site's control panel—through a vulnerability, a weak password, or a leaked credential—and replacing its content with other content . It can include images, political messages , videos, threats, or mockery. In many cases, like this one, a skull is used as a signature, accompanied by hashtags and links to Telegram channels or other networks.

The term comes from the English word " deface " and refers to the alteration of a website's "face ." Although it's less sophisticated than other cyberattacks, it can have a significant public impact, especially if it affects media outlets or official websites.

Beyond the attacker's intentions, the episode highlights the risks of not implementing basic cybersecurity measures . Using strong and unique passwords, activating second-factor authentication, and constantly updating software are essential resources for preventing these types of intrusions.