Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gawker Source Code and Databases Compromised

Posted by samzenpus on from the let's-see-what-we-have dept.

An anonymous reader writes "Passwords and personal data for 1.3 million Gawker Media readers — this includes readers of sites like Gizmodo, Lifehacker, Kotaku, and io9 — have been released as a BitTorrent by a group of hackers called Gnosis, who also managed to gain access to both the Gawker CMS and Gizmodo's Twitter account. Gawker confirms and urges readers to change their passwords: 'Our user databases do indeed appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change the password on Gawker (GED/commenting system) and on any other sites on which you've used the same passwords. Out of an abundance of caution, you should also change your company email password and any passwords that may have appeared in your email messages. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems.'"

5 of 207 comments (clear)

  1. The torrent file... by Anonymous Coward · · Score: 5, Informative

    http://thepiratebay.org/torrent/6034669

    1. Re:The torrent file... by zonker · · Score: 5, Informative

      Someone uploaded the database to Google's Fusiontable's for you to search for your info against:

      http://www.google.com/fusiontables/DataSource?dsrcid=350662

      Instructions for use:

      1. Get the MD5 of your email address (lowercase)
      - Online: http://pajhome.org.uk/crypt/md5/
      - Shell: $ echo -n mylowercase@email.com|md5sum
      2. Search for the hash (via Show Options)
      3. Change your password

      By the way for Mac users like me that command won't work. Try md5 -r instead of md5sum

      --

      Large print giveth, and the small print taketh away

  2. Reminds me of the LM hash by yuhong · · Score: 4, Informative

    From http://pastebin.com/9rRmf6W5:
    "Gawker uses a really outdated hashing algorithm known as DES (Data Encryption Standard).
    Because DES has a maximum of 8chars using a password like "abcdefgh1234" only the
    first 8 characters "abcdefgh" are encrypted and stored in the database. If your
    password is longer than 8 characters you only need to enter the first 8 characters
    to log in! "
    The LM hash generated two hashes using DES from two 7 byte parts of a 14 byte password.
    Basically they use each individual 7 byte part as a DES key to encrypt a fixed string.
    Repeat this twice for each 7 byte part, and concatenate the results, and you get the LM hash.

  3. Re:Encrypted? Hashed? by Anonymous Coward · · Score: 2, Informative

    The salt just complicates the rainbowtable lookup method. It's not supposed to be super secret. It makes every password require a expensive brute force lookup rather than a O(1) operation.

  4. Re:EasyDNS by cyclocommuter · · Score: 4, Informative

    Not only that, Gawker seems to have an ongoing battle with Wikileaks, Assange, and anon via posts like this and this. They also appear to be taunting anon to hit them if they can... looks like they got what they wished for although as the saying goes, any publicity is good publicity... especially for the Gawker media empire.