Windows Secrets is known by many for its newsletter that gets sound out regularly to free and paid subscribers of the site. At its core, it is a news site that is publishing its stories on its website and the newsletter, with some articles released exclusively to paid subscribers of the service. Articles are written by professionals and experts making this one of the few newsletters around the web that is worth subscribing to.
It recently became known that the Windows Secrets Newsletter website got hacked. The attacker managed to brute force an administrator account to gain access to the site. Using the account, the hacker planted malicious code on the site to get access to the site’s database and information. When subscribers and editors started to receive spam that appeared to come from Windows Secrets, site administrators began an investigation to find out what was going on.
They discovered the hacked administrator account and malicious code on the website, and removed all traces of the code and attack from the site. A full audit of the website, servers and sites on the same network is still undergoing.
Windows Secret users need to know what has been compromised. According to site operators, the following information could have been exposed:
subscriber name, e-mail address, reader number, ZIP code (if applicable), geographic region, and hashed password — all the entries on your profile page.
It seems fairly certain that email addresses have been exposed, considering that users have received spam in the last days. Payment information are not kept on site, and credit card processing is handled by a third party service exclusively. There is no indication at the time of writing that financial information were compromised in the attack.
It is recommended to change the account password at the earliest convenience on this page to protect the account from third party access. Subscribers who have used the same password on other sites should change it on those sites as well as it is likely that the attacker will try to use the email and password combination to log in on popular sites such as Facebook, Twitter or Google (provided that the brute-forcing of hashed passwords is successful of course).
Original article at Ghacks