When my phone buzzed with a news alert from the New York Post on Saturday night, I assumed something important had happened. When I took a look, I discovered not a news headline, but instead a message: “Heil President Donald Trump.”
While in some countries that might be a signal of a coup d’etat, I was pretty sure the Post (despite its history of pro-Trump editorial positions) was not blasting a propaganda message, but had instead been the victim of a hacker.
My suspicions were confirmed by the follow-up messages, some of which you can see below, that included everything from religious rantings to Nirvana lyrics:
After approximately an hour of this, the Post sent out yet another alert saying its “system was compromised” along with an apology.
While some might consider the fake alerts as no more than a funny prank, the episode actually underscores the danger of news notifications, which are an increasingly important distribution tool for many news agencies.
Get Data Sheet, Fortune’s technology newsletter.
Consider, for instance, if the Post hacker decided not to use the compromised account for simple trolling, but to send real-sounding headlines about the death of a CEO or a terrorist incident. Such an alert could cause political panic or move the stock market—as happened when hackers hijacked the Twitter account of the AP news agency and reported explosions at the White House.
For a publication like the New York Times, which recently said news alerts account for up to 60% of its web traffic on some days, a compromise of its push notifications system could spread dangerous misinformation around the globe, and be disastrous to its brand.
So how do news agencies ensure the powerful push alerts don’t fall into the wrong hands? In the case of the Times, the control of the system lies with senior staff.
“At The Times, it’s always a senior editor on the News Desk—often multiple—who makes the call on whether to send a news notification (and what it says). The News Desk edits our home page and mobile apps, among many other functions,” said spokesperson Linda Zebian by email.
As for the Post, a spokesperson said the publication had no comment beyond its initial statement. Another person, who did not wish to be named, described the incident on Monday as a “perplexing mystery.”
Professor Bill Grueskin, who teaches digital newsroom management at the Columbia School of Journalism, told Fortune it’s imperative for news agencies to introduce extra security for their online distribution channels.
“I’d say that any newsroom that doesn’t use at least one extra layer of authentication, beyond the simple password, puts its reputation at grave risk. Otherwise, you enable any former employee, or hacker, access to your social media accounts,” he said.
