NewsNow Ditches Passwords After Possible Breach

Popular news aggregation site NewsNow has been notifying its users of a potential password breach after it found evidence of an intrusion.

The firm notified customers about the incident via email this week after finding backdoor malware on some of its servers. The issue is said to have been patched and remediated.

That could leave countless NewsNow users exposed if they have used their passwords across other sites, although the firm claims that the encryption it has placed on the credentials would deter most cyber-criminals.

“Since it would not be straightforward for anyone to decipher your actual password, and since NewsNow does not store any sensitive personal data of yours (such as payment data), we think the likelihood of anyone taking the trouble to decipher your password is minimal,” it explained.

“We would also encourage you to continue to take all usual precautions such as ignoring and deleting spam and unsolicited emails, and in particular avoiding opening unsolicited email attachments; use strong passwords, avoid using the same passwords for multiple websites or online services.”

ESET security specialist, Jake Moore, argued that the best way to securely manage unique, strong passwords for multiple sites is through a password manager.

“Using a password manager means you don’t have to remember the ridiculous amount of passwords we all need to have any sort of internet presence. You no longer have to use the same password everywhere, or use memorable facts such as your cat’s name,” he explained.

“Since the password manager takes care of the remembering part, every password can be a long, totally random ton of characters. The strength is in complex length so brute-force password crackers would simply take too long.”

It’s unclear exactly what type of encryption NewsNow has used here, but interestingly the incident has persuaded the firm to abandon password storage altogether.

“As part of our tightened security measures we have signed-out currently signed-in users, and eliminated the need for passwords from our sign-in system,” it revealed. “In future when you sign in you will simply need to click a link in the email we send you to complete the sign-in process.”

Security expert, Graham Cluley, warned that this puts more responsibility for log-in security on a user’s email provider.

“So please make sure that your email accounts are properly secured from unauthorized access,” he added. “Multi-factor authentication for your email account is a must these days.”

What’s Hot on Infosecurity Magazine?