Ars Technica, reporting on the hack of analytics firm PageFair:
The compromise started in the last few minutes of Halloween with a spearphishing e-mail that ultimately gave the attackers access to PageFair’s content distribution network account. The attacker then reset the password and replaced the JavaScript code PageFair normally had execute on subscriber websites. For almost 90 minutes after that, people who visited 501 unnamed sites received popup windows telling them their version of Adobe Flash was out-of-date and prompting them to install malware disguised as an official update.
One of those sites were the Economist, as is widely reported. Third party scripts and services is a forgotten security hazard today. Probably more so than ever, since PageFair is an anti-content blocker. From their about page:
We started PageFair because we personally experienced the damage adblocking can do to a website. While we recognize that visitors need to defend themselves from distracting, intrusive, inappropriate, disingenuous or malicious advertising, the rise of adblocking is now leading to the death of quality free websites.
Add PageFair to a service you should block, for your own safety.