On Tuesday, December 11, 2018 I received a phising email, redacted version on pastebin.
Thankfully I used a unique password because there it was, in the clear. The unique password showed me that it was for http://osnews.com.
I reached out to them immediately and got a response promptly but it didn't mention anything about disclosure. So I then asked David if he was planning to tell his users about the breach and he replied he would by the end of the week.
Here's a snippet of his response:
The very old custom CMS that OSNews runs on hasn’t been meticulously updated, and it does appear that someone got ahold of our user data.
On Monday, with still no announcement I sent another email and asked again. David replied he would announce by end of day. Although several content posts have been added in the last week there has still been no announcement of the security breach.
So, after one week, I'm announcing for them.
- osnews.com has been hacked
- osnews.com kept user passwords in the clear
- those email/password tuples are now in the wild