NewsNow Urges All Users to Change Passwords NOW After Data Breach

NewsNow Data Breach

Without using any official channels to announce the news to the world, NewsNow, a British news aggregator agency, sent out email notifications to their users saying that changing some passwords might be in order. The message was first shared by security specialist Troy Hunt on Monday, and the interesting thing about it is that it leaves quite a few questions unanswered. After the media picked up the news, a spokesperson did shed some light on the matter, and although a few things remain unknown, we'll now summarize the facts.

What happened exactly?

Apparently, NewsNow's IT people were reviewing some code when they noticed that someone had installed a backdoor on a few of their servers. After taking them offline, they did some investigation and realized that the intrusion was made possible by a dodgy line of code that stayed on NewsNow's infrastructure for about eight years. The code was patched, and the servers were brought back up, but not before a brand new authentication system was put in place.

NewsNow decided to do away with the password altogether. Right now, if you want to log in to your account at the news aggregator website, you click the Sign In button and enter your email address. NewsNow sends you a login link, and obviously, to get to it, you first need to log in to your email. Once you follow the link, you're inside your NewsNow account.

NewsNow officials can't say whether any information has been exfiltrated, but the new, rather cumbersome authentication mechanism shows that they are either suspecting the worst-case scenario or are being cautious. Speaking of which, if you have ever registered an account with NewsNow, you should be pretty careful as well.

What do potential victims need to do?

The good news is, NewsNow doesn't really hold that much user data. As they point out in the breach notification, for example, no credit card details could have been stolen because none were stored. The passwords were stored, however, and while NewsNow wasn't keen on revealing too many details, the notification said that the passwords were "encrypted" which could be worrying.

This isn't the first time, a data breach victim has said such a thing, and it could mean one of two things. Maybe the passwords were hashed and salted (as they should be), but the company officials realized that few of the people reading the letter would understand what this means, so they picked a term that's less accurate but more common. The other option is that the passwords simply weren't stored properly.

Unfortunately, the second scenario is far more likely. The email says that "it would not be straightforward" to "decipher" the passwords and that because NewsNow doesn't store any sensitive personal information, nobody's going to bother even trying to crack the (potentially) stolen data.

NewsNow might be underestimating the amount of free time and determination some hackers have. Worse than that, however, is the fact that, without sharing any technical details, they imply that it is possible to recover plaintext passwords from the data that was stored on the backdoored servers. And because we don't know when the backdoor was installed, any password that has ever been used at NewsNow must be considered compromised.

Obviously, if you use unique passwords on all websites, this isn't really a problem. NewsNow's new authentication mechanism means that old passwords won't work at all. And even if they did, the hackers wouldn't be able to steal much from your account.

If you have used the same password elsewhere, however, you must change it as a matter of urgency. Even if you assume that the "not straightforward" bit of NewsNow's message is true, you have to bear in mind that for many people, this is a challenge they're willing to take, not a deterrent. And because password reuse is so common, the potential benefit of cracking a large number of passwords and using them in a credential stuffing attack is enormous.

In other words, the incident should not be underestimated. Yes, we don't know whether the intruders have taken anything, and we have no idea what the password hashing (or encryption) algorithm is. Despite this, the threat to people who reuse passwords is very real. And as we found out a couple of months ago, quite a few people reuse passwords.

By Duran
September 28, 2018
News
English
September 28, 2018
News

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

News

Why Did Twitter Tell Millions of Users to Change Their Passwords?

You may have heard that Twitter recently told its 300+ million users to change their passwords, but have you wondered why? Well, the reason for that is quite simple, it's about their users' security. Twitter... Read more

June 27, 2018
News

Under Armour's MyFitnessPal Succumbs to Major Data Breach Exposing 150 Million User Passwords

Today's sensitive nature of personal data has us all in a frenzy to protect it to the best of our abilities. Unfortunately, the powers that be may have other plans for our personal data and choose to expose whatever... Read more

March 30, 2018
News

Twitter Urges Its 330 Million Users to Change Their Passwords Due to a Software Bug

It was World Password Day yesterday. We were supposed to celebrate good password management and teach people how to do it. Twitter decided to chime into the celebration… by urging all 330 million of its users to... Read more

May 4, 2018
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.