On Tuesday, December 11, 2018 I received a phising email,
redacted version on pastebin.
Thankfully I used a unique password because there it was, in the clear. The
unique password showed me that it was for http://osnews.com.
I reached out to them immediately and got a response promptly but it
didn't mention anything about disclosure. So I then asked David if he
was planning to tell his users about the breach and he replied he would
by the end of the week.
Here's a snippet of his response:
The very old custom CMS that OSNews runs on hasn’t been meticulously
updated, and it does appear that someone got ahold of our user data.
On Monday, with still no announcement I sent another email and asked again. David
replied he would announce by end of day. Although several content posts have
been added in the last week there has still been no announcement of the security
So, after one week, I'm announcing for them.
- osnews.com has been hacked
- osnews.com kept user passwords in the clear
- those email/password tuples are now in the wild