Accounts on any Gawker Media sites used to post comments have been compromised. The sites effected include: Deadspin, Gawker, Gizmodo, io9, Jalopnik, Jezebel, Kotaku, Fleshbot, and Lifehacker. The problem isn’t just that malicious people are posting comments on these sites as others but it gives them a large list of e-mail addresses and many passwords are used across multiple sites. This last point has been proven by a spamming campaign on Twitter promoting Acai Berry weight-loss sites.
A stripe at the top of all Gawker sites warns of the compromise and warns to change your passwords while linking to an FAQ hosted on Lifehacker. The attack was performed by the Gnosis group and they have provided their own trophy by posting a ~500 MB torrent file on The Pirate Bay. The torrent contains server info, about 200,000 users, passwords, and email addresses, and about 1.3 million users in the database to be decrypted. You can read an interview with Gnosis on the site Mediaite to understand some of the details and the motivation behind the attack. The Next Web has an article detailing what exactly was compromised in terms of the server info and Gawker employee’s accounts.
Gawker posted the following statement:
We understand how important trust is on the internet, and we’re deeply sorry for and embarrassed about this breach of security – and of trust. We’re working around the clock to ensure our security (and our commenters’ account security) moving forward.
If you’ve registered an account on any Gawker Media web site (that includes Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, io9, or Fleshbot), and you didn’t log in using Facebook Connect, then it’s best to assume that your username and password were included among the leaked data.
There are two big take-aways with this incident: 1) Change your password on Gawker immediately (if you had one) 2) Don’t use the same password on multiple sites.
Using the same password across multiple sites is a bad idea for exactly the reason this demonstrates. If a different site is compromised and can be tied back to you, it might allow them to gain access to other accounts you care more about like your online banking or your e-mail, which may contain other passwords and account info.
One example of another site being affected by this compromise comes from Twitter.
A torrent was made that includes the complete release the attackers collected though there is a table on Google Docs providing the MD5 hash of e-mails and the domains that have been affected by this. You can create the MD5 hash of your e-mail address and then search the table for that hash to confirm your account was included. This table shows some interesting information like the fact that 9,557 .edu e-mail addresses were used, 332 .gov addresses, and 342 .mil addresses.
From the Mediaite interview:
On an interesting side note there are 2650 users in the database using the password “password” or “querty”. Of these users one is registered under a .gov email address, 3 are from a .mil addres and 52 are from .edu addresses.
So password strength is an issue as well.
Your homework today is to go through your various Internet accounts and change them so they all use a password that is unique and strong. Doesn’t sound doable? It is. I recommend using KeePass to achieve this task.