CoverItLive, the popular live blogging service that is used by countless websites, has unfortunately been the latest victim of a hack attempt. The company states via emails sent to their customers that they discovered that some “proprietary data files” were accessed without permission starting around January 7, 2012, and they have not determined the extent to which CoverItLive account information was accessed. No-one at this stage has owned up to the hack either.
Thankfully, CoverItLive can report that no financial account information has been accessed, so paying users can rest assured that their credit card and/or other payment information is secure. However as a precaution and most likely due to a probable compromise of user passwords, CoverItLive is requiring a password reset for all active accounts; the process will start on January 14 at 12 AM EDT so the next time you attempt to access your account you will be required to change your password.
Also a relief is that CoverItLive encrypts their passwords:
Your password and all account passwords are encrypted as a standard CoveritLive information security practice, and we have no evidence that an unauthorized individual has actually retrieved, or is using such data.
However they caution users who use the same email address/password combination for other services, and recommend that you immediately change your login credentials to prevent any misuse. They also remind people not to share personal information via email and not to open any emails from senders you are not familiar with, mostly to prevent any sort of phishing attacks from email addresses that may have been obtained.
Neowin has used CoverItLive in the past to cover live events (before we recently implemented an in-house system), so our own staff are potentially at risk here. If you too use CoverItLive we highly recommend following the steps to change your account password on their website and be careful to ensure other accounts of yours are not compromised.
What’s interesting is that CoverItLive has taken almost a week to notice the unauthorized access to their files, so perhaps their intrusion detection system is not particularly great. In any case, it’s good to see that they found a potential hack, notified users and taken appropriate action.
The full email sent to customers is attached below:
CoveritLive recently discovered that certain proprietary data files were accessed without authorization starting on or about January 7, 2012. We have not yet determined if, or to what extent, CoveritLive account information (i.e., user names, email addresses and/or passwords) was accessed. We do know, however, that no financial account information has been compromised.
Our investigation is ongoing, and, as a precautionary measure, we will implement required password resets for all active CoveritLive accounts. We plan for this process to begin Saturday January 14, 2012 at 12 AM EDT (5 AM GMT). The next time you log in after the process has begun, you will be asked to change your password before you will be allowed into your account. NOTE: we do not anticipate that you will experience a disruption in your event if you are using CoveritLive while the change is invoked.
Your password and all account passwords are encrypted as a standard CoveritLive information security practice, and we have no evidence that an unauthorized individual has actually retrieved, or is using such data. However, out of an abundance of caution we recommend that if you registered for CoveritLive using an email address and password combination that you use for other online accounts, you should immediately create unique passwords or new login credentials for those other sites and accounts.
We take this matter very seriously and will continue to work to ensure that all appropriate measures are taken to protect your personal information from unauthorized access. We also would like to take this moment to remind you of a couple of tips that should always be followed:
- Do not open emails from senders you do not know. Be especially cautious of "phishing" emails, where the sender tries to trick the recipient into disclosing confidential or personal information.
- Do not share personal or sensitive information via email. Legitimate companies will not attempt to collect personal information outside of a secure website.
We regret any inconvenience that this password change process may cause you. Please do not hesitate to contact us at firstname.lastname@example.org if you have any questions.