NewsNow suffers security breach – passwords should be considered compromised

NewsNow suffers security breach - passwords should be considered compromised

Online news aggregation service NewsNow has admitted that it has suffered a security breach.

I could find no mention of the data breach on NewsNow’s website or Twitter account (the last news it shares on its Twitter account announces the 2017 engagement of Prince Harry to Meghan Markle, so perhaps they don’t consider Twitter a good way to communicate with users).

But in an email entitled “Update on your account security” NewsNow acknowledges that an incident has occurred, and that “an encrypted version of your password may have been accessed”:

NewsNow breach email

The email reads as follows:

We are writing to inform you of a security breach affecting the NewsNow website. The breach has now been resolved, and security has been tightened to prevent a recurrence.

However, we believe it is possible that an encrypted version of your password may have been accessed. While we do not have any concrete evidence that this has happened, the possibility cannot be completely ruled out.

Since it would not be straightforward for anyone to decipher your actual password, and since NewsNow does not store any sensitive personal data of yours (such as payment data), we think the likelihood of anyone taking the trouble to decipher your password is minimal.

Nevertheless, as part of our tightened security measures we have signed-out currently signed-in users, and eliminated the need for passwords from our sign-in system. In future when you sign in you will simply need to click a link in the email we send you to complete the sign-in process.

Additionally, we would strongly recommend that, if you have used your existing NewsNow password on any other websites or online services, you change those now.

We would also encourage you to continue to take all usual precautions such as ignoring and deleting spam and unsolicited emails, and in particular avoiding opening unsolicited email attachments; use strong passwords, avoid using the same passwords for multiple websites or online services.

We are very sorry for any inconvenience this may cause. If youd like more information, please contact our Data Protection Officer at dataprotection@NewsNow.co.uk or via our online form.

Quite what NewsNow means by “encrypted password” (and whether they actually meant to say “hashed” but they worried that would confuse people) isn’t explained.

It’s a shame that they didn’t include more technical details on how the passwords are stored, even if only for those readers who might understand them.

What is clear is that you should ensure that you are not using the password you were using on NewsNow anywhere else on the web.

Furthermore, NewsNow appears to be so burnt by the experience that it has decided it never wants to store passwords (hashed or otherwise) again.

In an age of “toxic data”, the site has declared that it has revamped its login system. In future users will simply enter their email address into a form, and will then need to wait for a message to be sent to their email address containing a link that will log them into the NewsNow system.

Newsnow login

NewsNow doesn’t say when its security breach occurred, but my hunch would be that it would have taken them some time to re-engineer their login process for users.

This news login system, of course, pushes some of the responsibility for securing the account away from NewsNow and onto your email provider – so please make sure that your email accounts are properly secured from unauthorised access. Multi-factor authentication for your email account is a must these days.

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Follow him on Twitter at @gcluley, or drop him an email.

Follow @gcluley