Hackers breach NY-Alert system; state officials say ignore any message about transactions

Syracuse, N.Y. – The state’s NY-Alert app was hacked last week, sending a message about a bogus transaction to the phones of tens of thousands of people signed up to get emergency notifications, state officials confirmed.

The phishing notice pinged 163,000 phones, or 87% of the accounts signed up for the state’s emergency notices, according to Scott Reif, spokesperson for the New York State Office of Information Technology Services.

The state is warning people to ignore any notice from NY-Alert that asks the recipient to inquire about a fake bank transaction.

“We are aware of a text message sent in error to some members of the public,” Reif said. “Do not reply to the text message or call the phone number. This text message was not sent by New York State, and an investigation is ongoing by the vendor.”

NY-Alert is the state’s mass notification system. It’s used to keep residents informed on the topics they select when they sign up, including notifications for weather emergencies, road closures and deadlines to file state taxes.

The messages came through Mobile Commons, the company that handles alert system text messages for the state.

One of the hacked messages viewed by syracuse.com arrived the evening of Nov. 10:

“B OF A: Transaction of $723.42 was declined. Confirm if this was you: (888) 836-4437. Reply YES to confirm.”

Mobile Commons sent out another text to subscribers Nov. 11, warning of the phishing attempts:

“The previous message was sent in error and not on behalf of New York State. Do not reply to this message or call the phone number.”

Mobile Commons CEO Jed Alpert said in an emailed statement that an “unauthorized third-party” gained access to the platform for four hours before the scam was detected and stopped.

He said the company blocked a second attack Nov. 13.

“During these incidents, multiple attempts were made to send spam messages through our system,” Alpert said. “A limited number of these messages reached subscribers before our security protocols identified and contained the malicious activity.”

Alpert said the company is taking steps to make the system more secure and said they have “locked down messaging” on its platform until the “company is confident that the platform is secure.”

If you purchase a product or register for an account through a link on our site, we may receive compensation. By using this site, you consent to our User Agreement and agree that your clicks, interactions, and personal information may be collected, recorded, and/or stored by us and social media and other third-party partners in accordance with our Privacy Policy.