OSNews.com Has Been Hacked
@ wrote... (4 years, 11 months ago)

On Tuesday, December 11, 2018 I received a phising email, redacted version on pastebin.

Thankfully I used a unique password because there it was, in the clear. The unique password showed me that it was for http://osnews.com.

I reached out to them immediately and got a response promptly but it didn't mention anything about disclosure. So I then asked David if he was planning to tell his users about the breach and he replied he would by the end of the week.

Here's a snippet of his response:

The very old custom CMS that OSNews runs on hasn’t been meticulously
updated, and it does appear that someone got ahold of our user data.

On Monday, with still no announcement I sent another email and asked again. David replied he would announce by end of day. Although several content posts have been added in the last week there has still been no announcement of the security breach.

So, after one week, I'm announcing for them.

  • osnews.com has been hacked
  • osnews.com kept user passwords in the clear
  • those email/password tuples are now in the wild

Damn.

Category: tech, Tags: osnews
Comments: 3
Comments
1.
Nils @ December 31, 2018 wrote... (4 years, 11 months ago)

hmmmm. osnews was one of my daily clicks. the main author, thom, is a good observer. I surely was using my minor secure credentials once or twice to post something. It would have been fair to be informed directly and not to search on twitter to get information on what happened.

Sad.

2.
Kurt @ December 31, 2018 wrote... (4 years, 11 months ago)

Yeah, I was pretty disappointed too. I was told by David several times that he would disclose but it never happened. I reached out to Troy Hunt and he was kind enough to retweet because he agreed that disclosure is good for everybody.

3.
Adam @ January 3, 2019 wrote... (4 years, 11 months ago)

A post has been added to osnews.com explaining the situation.

  • It's inaccurate to say that OSnews stored passwords in clear text, they were stored using weak encryption (sha1).
  • We don't know for certain that the database was dumped; we're actually not entirely sure what occurred, it's possible it only affected some users or some data.
  • The email you posted makes reference to a hacked router. Given news stories in 2018, is it possible that your traffic was snooped?

Either way, within (literally) hours of me learning of the breach, I took the entire old codebase offline.

Thanks for your post. I hope we can do better in the future.

Click here to add a comment