Updated UK aggregator NewsNow has suffered a breach resulting in the leak of users' "encrypted" passwords.
Word of the breach surfaced through reports to security consultant Troy Hunt, who runs the Have I Been Pwned service.
The breach notification refers to the leak of an unspecified number of "encrypted" passwords. Industry best practice is to store only salted hash representations of passwords, which is not quite the same thing. Either NewsNow is not following best practice or it has chosen the wrong term in its notice. The missive went on to say the breach has been resolved and security tightened up.
NewsNow has reportedly abandoned direct site logins altogether and switched to an email-based access confirmation system.
Some credential-stuffing botnets don't care about being noticed any moreREAD MORE
The service has yet to publish a breach notice on its website. Attempts by El Reg to contact the company via its web form, email and Twitter account remained unanswered at the time of writing.
NewsNow isn't an especially sensitive service, so the real danger comes in cases where users have used the same password or password stem on other sites. Such practices are fodder for automated credential-stuffing attacks that rely on trying leaked ID and password combinations on other websites.
Security experts such as Graham Cluley advised NewsNow users to review and change up their passwords. ®
Updated at 1500 UTC, 25 September, to add
Greg Witham, chief operating officer of NewsNow, has been in touch to state that the breach notification was a "precaution" following a recent hack.
"We recently found evidence of an intrusion. A backdoor had been installed in some of our servers. We traced the intrusion to a line of attack that was possible because of a single line of code dating back eight years. It was immediately patched, and we took all affected servers offline. We audited our code base for similar issues and found none. We fully reinstalled servers before putting them back online.
"We are not certain that a data breach took place, though it is possible. The communication to users was sent as precaution."