CPA Consultants’ Alliance website hacked

The CPA Consultants’ Alliance informed its clients this month that its website had been hacked, with several fake blog entries touting cannabis-related products posted on the site and emailed to everyone on the organization’s mailing list.

The CPACA members, a group of consultants who advise CPA firms about technology, marketing and business development, realized the hack had occurred when an automatically generated email newsletter arrived in their inboxes during an annual meeting. They scrambled to remove the posts, which touted marijuana and products made from CBD, short for cannabidiol, an oil derived from the cannabis plant that has become a booming market in recent years.

“Unfortunately, the CPA Consultants’ Alliance website was hacked, fake blog posts were added and an email was generated and sent to you,” said the Feb. 13 email. “We are addressing this issue with the hopes that it will not happen again. In the meantime, we apologize for any inconvenience or confusion.”

The blog posts were likely only on the CPACA website for a single day, but the timing couldn’t have been worse since they were posted on the site shortly before a previously scheduled newsletter was set to go out to the mailing list.

“From what we can tell, someone guessed the login of one of our members and posted four articles on the benefits of CBD oil and marijuana under his name,” said Bonnie Buol Ruszczyk of BBR Companies LLC, a marketing strategy firm for accountants. “This then generated a newsletter to all our contacts, which oddly enough went out when we were all in the same room at our annual meeting.”

The hacker seems to have compromised a member’s account to get access to the website. “I think as far as what happened in this instance, it was a weak password situation,” said Roman Kepczyk, a CPACA member who is director of firm technology strategy at Right Networks.

“We’re assuming somebody was able to log in through one of our member’s accounts,” said Ruszczyk. “They either guessed the password or somehow or other got access to that information, and added blog posts about the benefits of CBD oil and other topics of which we are not experts nor do we have an official opinion. The reason why that went out to all of our newsletter recipients is until recently we had it set up so that Mailchimp was connected to our website in a way that it just auto-generated a newsletter by pulling the most recent blog posts. The design was already set up. and on whatever date of each month it would autogenerate that newsletter to go out, so the timing of it was very unfortunate in that we were hacked a day before the email was scheduled to go out.”

CPACA was able to remove the posts quickly, change the login on its WordPress site and quickly send out a follow-up email explaining the problem. It doesn’t know who the hacker was, but one of the articles posted on the site was in German.

“We received the email when everybody else did,” said Ruszczyk. “It was ironic that we were all sitting in the same room because that only happens once a year. … But immediately we went in and took down the fake blog post and then we investigated exactly what went on and sent out a note saying we were hacked. We apologize for this, but things have now been put in place. We now no longer auto-generate that newsletter. It’s a great idea as far as efficiency goes, but it also gives us a little less control, so we’re not going to auto-generate that anymore. We’re going to create it manually.”

CPACA doesn’t believe its members’ or clients’ personal information was exposed, and the hackers don’t seem to have gotten access to the Mailchimp account itself. “They did not actually get into our Mailchimp account where all our email resides,” said Ruszczyk.

The group has taken steps to beef up its security since the incident occurred. “I immediately contacted our web developer host, and he went in and looked at all the things that we had in place,” said Ruszczyk. “There were a couple of WordPress updates that needed to be made. Not a lot, but we did everything to help shore up our security, and for the member’s account that was logged into, that password was immediately changed as well.”

Kepczyk, who is a technology expert who has written about cybersecurity for the American Institute of CPAs, believes the incident offers some lessons for CPA firms. “For firms that have personally identifiable information, which is primarily data on tax returns or in their Outlook, we do recommend multifactor authentication from a security perspective,” he said. “Once they get in there, according to the National Institute of Standards and Technology, then you have what is a certifiable breach, and CPA firms are definitely targets in that area. By having multifactor authentication or biometrics or some other kind of third-party verification, it can significantly reduce their exposure. Everyone is a target to be hacked, and it’s a matter of how do we make it hard for the hackers to get in and minimize the exposure of the firm.”

On Monday, he posted an article on the CPACA website entitled, “How to Respond if Your Firm is Hacked,” with some advice based on the group’s recent experiences. It will run in the next edition of the group’s newsletter.


Michael Cohn