Online news aggregation service NewsNow has admitted that it has suffered a security breach.
I could find no mention of the data breach on NewsNow’s website or Twitter account (the last news it shares on its Twitter account announces the 2017 engagement of Prince Harry to Meghan Markle, so perhaps they don’t consider Twitter a good way to communicate with users).
But in an email entitled “Update on your account security” NewsNow acknowledges that an incident has occurred, and that “an encrypted version of your password may have been accessed”:
The email reads as follows:
We are writing to inform you of a security breach affecting the NewsNow website. The breach has now been resolved, and security has been tightened to prevent a recurrence.
However, we believe it is possible that an encrypted version of your password may have been accessed. While we do not have any concrete evidence that this has happened, the possibility cannot be completely ruled out.
Since it would not be straightforward for anyone to decipher your actual password, and since NewsNow does not store any sensitive personal data of yours (such as payment data), we think the likelihood of anyone taking the trouble to decipher your password is minimal.
Nevertheless, as part of our tightened security measures we have signed-out currently signed-in users, and eliminated the need for passwords from our sign-in system. In future when you sign in you will simply need to click a link in the email we send you to complete the sign-in process.
Additionally, we would strongly recommend that, if you have used your existing NewsNow password on any other websites or online services, you change those now.
We would also encourage you to continue to take all usual precautions such as ignoring and deleting spam and unsolicited emails, and in particular avoiding opening unsolicited email attachments; use strong passwords, avoid using the same passwords for multiple websites or online services.
We are very sorry for any inconvenience this may cause. If youd like more information, please contact our Data Protection Officer at dataprotection@NewsNow.co.uk or via our online form.
Quite what NewsNow means by “encrypted password” (and whether they actually meant to say “hashed” but they worried that would confuse people) isn’t explained.
It’s a shame that they didn’t include more technical details on how the passwords are stored, even if only for those readers who might understand them.
What is clear is that you should ensure that you are not using the password you were using on NewsNow anywhere else on the web.
Furthermore, NewsNow appears to be so burnt by the experience that it has decided it never wants to store passwords (hashed or otherwise) again.
In an age of “toxic data”, the site has declared that it has revamped its login system. In future users will simply enter their email address into a form, and will then need to wait for a message to be sent to their email address containing a link that will log them into the NewsNow system.
NewsNow doesn’t say when its security breach occurred, but my hunch would be that it would have taken them some time to re-engineer their login process for users.
This news login system, of course, pushes some of the responsibility for securing the account away from NewsNow and onto your email provider - so please make sure that your email accounts are properly secured from unauthorised access. Multi-factor authentication for your email account is a must these days.