NewsNow Urges All Users to Change Passwords NOW After Data Breach
Without using any official channels to announce the news to the world, NewsNow, a British news aggregator agency, sent out email notifications to their users saying that changing some passwords might be in order. The message was first shared by security specialist Troy Hunt on Monday, and the interesting thing about it is that it leaves quite a few questions unanswered. After the media picked up the news, a spokesperson did shed some light on the matter, and although a few things remain unknown, we'll now summarize the facts.
What happened exactly?
Apparently, NewsNow's IT people were reviewing some code when they noticed that someone had installed a backdoor on a few of their servers. After taking them offline, they did some investigation and realized that the intrusion was made possible by a dodgy line of code that stayed on NewsNow's infrastructure for about eight years. The code was patched, and the servers were brought back up, but not before a brand new authentication system was put in place.
NewsNow decided to do away with the password altogether. Right now, if you want to log in to your account at the news aggregator website, you click the Sign In button and enter your email address. NewsNow sends you a login link, and obviously, to get to it, you first need to log in to your email. Once you follow the link, you're inside your NewsNow account.
NewsNow officials can't say whether any information has been exfiltrated, but the new, rather cumbersome authentication mechanism shows that they are either suspecting the worst-case scenario or are being cautious. Speaking of which, if you have ever registered an account with NewsNow, you should be pretty careful as well.
What do potential victims need to do?
The good news is, NewsNow doesn't really hold that much user data. As they point out in the breach notification, for example, no credit card details could have been stolen because none were stored. The passwords were stored, however, and while NewsNow wasn't keen on revealing too many details, the notification said that the passwords were "encrypted" which could be worrying.
This isn't the first time, a data breach victim has said such a thing, and it could mean one of two things. Maybe the passwords were hashed and salted (as they should be), but the company officials realized that few of the people reading the letter would understand what this means, so they picked a term that's less accurate but more common. The other option is that the passwords simply weren't stored properly.
Unfortunately, the second scenario is far more likely. The email says that "it would not be straightforward" to "decipher" the passwords and that because NewsNow doesn't store any sensitive personal information, nobody's going to bother even trying to crack the (potentially) stolen data.
NewsNow might be underestimating the amount of free time and determination some hackers have. Worse than that, however, is the fact that, without sharing any technical details, they imply that it is possible to recover plaintext passwords from the data that was stored on the backdoored servers. And because we don't know when the backdoor was installed, any password that has ever been used at NewsNow must be considered compromised.
Obviously, if you use unique passwords on all websites, this isn't really a problem. NewsNow's new authentication mechanism means that old passwords won't work at all. And even if they did, the hackers wouldn't be able to steal much from your account.
If you have used the same password elsewhere, however, you must change it as a matter of urgency. Even if you assume that the "not straightforward" bit of NewsNow's message is true, you have to bear in mind that for many people, this is a challenge they're willing to take, not a deterrent. And because password reuse is so common, the potential benefit of cracking a large number of passwords and using them in a credential stuffing attack is enormous.
In other words, the incident should not be underestimated. Yes, we don't know whether the intruders have taken anything, and we have no idea what the password hashing (or encryption) algorithm is. Despite this, the threat to people who reuse passwords is very real. And as we found out a couple of months ago, quite a few people reuse passwords.