Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gawker Source Code and Databases Compromised

Posted by samzenpus on from the let's-see-what-we-have dept.

An anonymous reader writes "Passwords and personal data for 1.3 million Gawker Media readers — this includes readers of sites like Gizmodo, Lifehacker, Kotaku, and io9 — have been released as a BitTorrent by a group of hackers called Gnosis, who also managed to gain access to both the Gawker CMS and Gizmodo's Twitter account. Gawker confirms and urges readers to change their passwords: 'Our user databases do indeed appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change the password on Gawker (GED/commenting system) and on any other sites on which you've used the same passwords. Out of an abundance of caution, you should also change your company email password and any passwords that may have appeared in your email messages. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems.'"

43 of 207 comments (clear)

  1. So much for offloading infrastructure outside. by sethstorm · · Score: 3, Insightful

    Perhaps this should give them a lesson about going overkill on the whole "outsourcing" thing.

    --
    Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
    1. Re:So much for offloading infrastructure outside. by jhoegl · · Score: 2, Insightful

      Not 100% sure why this is OT, but okay.

      I can tell you for certain that some companies that are Outsourced do not follow the same security standards that we do. Even if they say they do.
      Bad part? These companies have access to our finances and/or medical records. Outsourcing tech jobs to India was bad enough, think about outsourcing to communist run countries... where they dont give a shit about privacy.

    2. Re:So much for offloading infrastructure outside. by Anonymous Coward · · Score: 2, Insightful

      Not entirely sure why communism means privacy is ignored. America seems fairly hell bent on removing the expectation of privacy itself.

    3. Re:So much for offloading infrastructure outside. by cgenman · · Score: 4, Insightful

      I'm vaguely surprised that companies aren't held legally liable if their outsourcing companies don't adhere to certain security standards. It shouldn't be any different if a company you outsource to in India or a division of your company in Idaho leave your clients information unsecured.

      --
      The ______ Agenda
  2. Goodwill? by Cyberllama · · Score: 4, Insightful

    I appreciate taking this sort of thing with good nature, but that might be a bit generous. Goodwill stopped at the "released a torrent of all the users passwords and personal data". Now my email address is going to get spammed . . . .

    1. Re:Goodwill? by LighterShadeOfBlack · · Score: 5, Insightful

      He's not calling what the hackers did 'goodwill', he's saying they shouldn't allow a situation to come about where the goodwill (or lack thereof) is the difference between an e-mail advising of the vulnerability and... well... this. In other words he's taking responsibility for the vulnerability in their systems instead of trying to say that it's all the evil hackers fault for exploiting it. A refreshing change from the usual response to this kind of thing.

      --
      Spelling mistakes, grammatical errors, and stupid comments are intentional.
    2. Re:Goodwill? by the+phantom · · Score: 3, Interesting

      Parse that last sentence again. Gawker had at least one vulnerability that they did not know about. One or more black hats found that vulnerability, and exploited it. In the same situation, white hats would have found the vulnerability and reported it. They were relying on the goodwill of white hats to report errors, rather than being more proactive themselves, and got pwned. This is, they say, embarrassing, and a situation that they should not have been in.

      --
      Rhapsody in Numbers
  3. Someone forgot to log out of the CMS... by RagingMaxx · · Score: 5, Funny

    ... on their iPhone 4, which for some reason they appear to have left at the bar...

  4. Good thing I don't use those services... by noidentity · · Score: 4, Funny

    ...and instead use Facebook to protect my privacy. Wait, why are you laughing?

  5. Further Lessons by alvinrod · · Score: 4, Insightful

    Not sure why anyone would register with any of the Gawker sites, but why on earth you would ever give your actual email address to half of these websites is beyond me. If they require you to provide an email address to register, use a throwaway address from something like mailinator or the other sites like it. Yes, someone could take over the account if the email address is posted, but for almost all of those sites the account serves no purpose outside of being able to post.

    I'm not even sure why they require email addresses. Reddit is one of the few sites I've seen get it right. They don't require an email address to register, but warn you that if you don't include one there is no way to recover the password for the account.

    1. Re:Further Lessons by dwarfsoft · · Score: 4, Interesting

      One benefit of having a domain is having forward all for %.com@domain.com. That way you can see which sites got compromised or which accounts got onsold. They can be easily blocked too.

      Still, I do prefer using throwaway email accounts, or not signing up if the content is readily available without registering.

      --
      Cheers, Chris
    2. Re:Further Lessons by PopeRatzo · · Score: 3, Funny

      Not sure why anyone would register with any of the Gawker sites

      Actually, this makes me think this "Gnosis" group might have done us a favor by releasing the names of Gawker readers.

      If aliens should attack the Earth looking to harvest DNA, we now have a list of people that won't be missed.

      --
      You are welcome on my lawn.
    3. Re:Further Lessons by Kjella · · Score: 2

      Yahoo has got a fairly nice feature where you get up to 500 mail aliases. That way you know exactly what site is selling your address and as a bonus you can have it autosort to folders. On top of that, you have the best unsubscription method possible, you simply delete the alias and all their mail will bounce. It probably doesn't hurt to send a "fuck you too" email with the alias saying you know what they did either. I really wish I had discovered it sooner, because my personal address was already a bit spammy but I don't want to change it now. At least this way it's not getting any worse.

      --
      Live today, because you never know what tomorrow brings
  6. The torrent file... by Anonymous Coward · · Score: 5, Informative

    http://thepiratebay.org/torrent/6034669

    1. Re:The torrent file... by Anonymous Coward · · Score: 5, Insightful

      So I can check if my address and password were included so I know whether to go round changing them everywhere...

    2. Re:The torrent file... by alvinrod · · Score: 4, Insightful

      A lesson in how trivial it is for anyone to get your email address and other information when you provide it to third parties who may become compromised. I hope it gets voted to +5 just so it sinks in for a few people and they aren't so careless with their personal information in the future.

      Gawker honestly shouldn't even store the emails. If someone loses a password they can just make a new account. I don't want to sound mean, but if you can't be a good example you might as well serve as a horrible warning.

    3. Re:The torrent file... by zonker · · Score: 5, Informative

      Someone uploaded the database to Google's Fusiontable's for you to search for your info against:

      http://www.google.com/fusiontables/DataSource?dsrcid=350662

      Instructions for use:

      1. Get the MD5 of your email address (lowercase)
      - Online: http://pajhome.org.uk/crypt/md5/
      - Shell: $ echo -n mylowercase@email.com|md5sum
      2. Search for the hash (via Show Options)
      3. Change your password

      By the way for Mac users like me that command won't work. Try md5 -r instead of md5sum

      --

      Large print giveth, and the small print taketh away

    4. Re:The torrent file... by Anonymous Coward · · Score: 3, Interesting

      It's a pretty good textboox example of how NOT to secure a website (not to mention a major one). I checked out the README, and it's rather embarrassing. Trivial leetspeak for root passwords, publicly accessible MySQL servers, stuff running Linux 2.6.18 compiled back in 2007 (there have been multiple local root exploits since then), ridiculously insecure passwords for admin accounts, people using the same password everywhere... They also appear to be using ancient DES crypt() for their website user passwords (that means only the first 8 characters of user/commenter passwords on the site matter). Really, it's no surprise that they were broken into through every possible orifice and then some. That's not counting the failure to react when they noticed something was off (which they did) before it was way too late.

    5. Re:The torrent file... by scdeimos · · Score: 2

      Regardless of which site is compromised, two reasons why having your e-mail address harvested is bad news:

      1. Spammers will send more spam directly to you.
      2. Spammers will send more spam to everybody else using your e-mail address - so you get more complaints from internet noobs fed-up with spam and thinking that you were the sender.
    6. Re:The torrent file... by julesh · · Score: 2

      So they would include all username/password except yours?

      I, for one, do not know whether I have ever registered at a gawker media site. I occasionally read some of them, and may have been tempted to comment at some point; I believe registration is mandatory before commenting so would have registered at that point in time. My guess is there's about a 20% chance this happened. If I did, I should find out so that I can change my password. I can't use the "forgotten username" interface at their site to try to find my login details because I'll have used a made-up one-off email address for the purpose, and have no idea what this would be.

      Also, as an IT administrator for a small business, I feel it would be a good idea to check for other users at our site who may have registered and warn them about this breach, so I'll be running a scan for all email addresses at all domains I'm responsible for.

    7. Re:The torrent file... by xtracto · · Score: 2

      If Gawker, Slashdot or any other online sites that "require" a login account really valued your privacy they would maintain hashes of both your email and password.

      Then, when you wanted to authenticate, they would only compare the hashed results of the data you provided with their stored hashes.

      If you wanted to recover your password, they would as for your email and *IFF* the email you entered was found in the registries, then they would send a "password reset" page to the email you enter.

      Of course, you really do not need an account to read the majority of those sites... I've been reading Lifehacker for a while and I have never made an account.

      --
      Ubuntu is an African word meaning 'I can't configure Debian'
    8. Re:The torrent file... by arth1 · · Score: 2

      stuff running Linux 2.6.18

      To be fair, those are RHEL 5 servers, which are going to be supported for several more years. Red Hat backports security fixes, so their 2.6.18 is far from vanilla 2.6.18.

      Why 2.6.18? For one thing, it was a long term stable (like 2.6.27 and 2.6.32), and RHEL is supported for (I believe) 7 years.
      More, 2.6.18 is required for Xen, which many versions of RHEL come bundled with. (A couple of the gawker "servers" are really virtual machines running under xen). If you want near-instant failover capabilities, xen is currently the only choice; kvm doesn't have that yet.

      But again, just because you see 2.6.18, don't assume it's the same 2.6.18 as what was released years ago. It stays on 2.6.18 for compatibility reasons, but gets all security patches.

  7. Re:Encrypted? Hashed? by causality · · Score: 4, Funny

    They probably did. It's a press release, and a one-way cryptographic hash is close enough to "encrypted" and a helluva lot shorter and more understandable to a non-pedantic audience.

    At least they didn't say "scrambled".

    --
    It is a miracle that curiosity survives formal education. - Einstein
  8. Re:Children suck by causality · · Score: 4, Insightful

    We considered what action we would take, and decided that the Gawkmedia “empire” needs to be brought down a peg or two.

    This is the major problem with the internet - we let children on it.

    Really kids? Go play somewhere else and let the adults have peace and quiet. You don't need to piss on everything just to prove you're alive. The smell of your unwashed armpits is already ample demonstration.

    There's no indication that the people who compromised Gawker were minors... but to respond to your larger sentiment...

    People who have malicious intentions and do bad things exist. They exist in large numbers. It is simply not possible to identify and stop every last one of them. It's not even feasible to significantly reduce their numbers. Not even the power of law can accomplish that. Indeed, law is a tool for managing this fact of life and has no real power to completely prevent it. There's nothing anyone can do about this reality. It can only be acknowledged, accepted, and worked with. Denial and delusion are your only other options.

    There's one thing we can do, however. We can harden the targets. We can secure the systems for which each of us is responsible. We can realize that compromises like this are preventable and then take steps to prevent them. We can learn from the example of those who failed to do so. At the end of the day, we can realize that we're not helpless victims completely at the mercy of random chance or luck, but rather, that there is a great deal we can do to become an extremely difficult target.

    Posts like this one are written in the spirit of this understanding. It highlights that the owners of those systems acknowledge that they have failed, have accepted responsibility for that, and therefore have the fewest obstacles to learning from this experience and overcoming it. An attitude of blaming everything on "those evil hackers", though they truly have done wrong, would practically guarantee that nothing is learned and no skills are improved.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  9. That's not the most insecure part by The+Moof · · Score: 5, Insightful

    I find that message from Gawker amusing because they don't even secure their login form with SSL. They're concerned about the database getting stolen with unreadable passwords that might be cracked with enough time, but they turn a blind eye to the fact that authentication information is sent in the clear from the form...

  10. Re:Children suck by Anonymous Coward · · Score: 2, Insightful

    I didn't say minors. I said "children."

    I chose that word carefully.

    Your points are all very correct, of course. I am just screaming to an apathetic universe.

  11. Re:Encrypted? Hashed? by Arancaytar · · Score: 4, Funny

    Waht? Smcrbalnig is a pfretlecy surece epoitrcyn mhtoed for prdsoaswss!

  12. Re:Children suck by causality · · Score: 3, Insightful

    I didn't say minors. I said "children."

    I chose that word carefully.

    Your points are all very correct, of course. I am just screaming to an apathetic universe.

    Point taken. In fact the biggest single reason why I am concerned about the long-term well-being of the USA is that most of its "adults" are petty, indulgent, overgrown children with short memories. In that spirit I can see why you had good reason to choose that word as you did.

    I maintain that the more adult thing to do is to overcome such events by learning their lesson, rather than indulging in the "blame game" and making it into a 5-minute hate. Not only is that the constructive solution, it also limits the damage of this intrusion to computer systems only. The anger and hatred merely serves the intruder(s) by extending the damage into the personal realm of your own well-being.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  13. Reminds me of the LM hash by yuhong · · Score: 4, Informative

    From http://pastebin.com/9rRmf6W5:
    "Gawker uses a really outdated hashing algorithm known as DES (Data Encryption Standard).
    Because DES has a maximum of 8chars using a password like "abcdefgh1234" only the
    first 8 characters "abcdefgh" are encrypted and stored in the database. If your
    password is longer than 8 characters you only need to enter the first 8 characters
    to log in! "
    The LM hash generated two hashes using DES from two 7 byte parts of a 14 byte password.
    Basically they use each individual 7 byte part as a DES key to encrypt a fixed string.
    Repeat this twice for each 7 byte part, and concatenate the results, and you get the LM hash.

  14. Not as Bad as It Seems by R-66Y · · Score: 2

    After looking through the package released through BitTorrent, not everybody's password has been compromised. Gawker does appear to store passwords in an encrypted form and only particularly weak passwords have been cracked. My username, for instance, does appear in their raw DB dump (with an encrypted form of my password) but not in a separate file which lists the passwords they were able to crack. I have a fairly strong password and I believe that's why. Real examples of passwords weak enough to be cracked include "may1404" and "122190". Nothing like, for instance, "STux_s7a" (an old password of mine) appears in unencrypted form, and that isn't even a very strong "strong" password.

  15. Re:orly by PhrostyMcByte · · Score: 2

    and by "encrypted" do they mean "we're idiots and stored something other than a salt + hash of the passwords"?

    They used crypt(), which means it's going to be relatively easy to crack everything in the file even if the users' passwords were strong. Why anyone would use crypt() for password hashing is beyond me.

  16. the true gem here: ID'ing astroturfers by SuperBanana · · Score: 4, Interesting

    The real value here is that we'll get to see who has been astroturfing one of the "most popular" blog networks...and dumb enough to use obvious personal or work email addresses. In fact, it wouldn't surprise me if Gawker copywriters were 'turfing their own stories too, given how much emphasis Gawker places on story viewcounts.

    --
    Please help metamoderate.
  17. Re:Encrypted? Hashed? by Anonymous Coward · · Score: 2, Informative

    The salt just complicates the rainbowtable lookup method. It's not supposed to be super secret. It makes every password require a expensive brute force lookup rather than a O(1) operation.

  18. EasyDNS by Tridus · · Score: 3, Insightful

    It's nice to see a bit of karmic justice after Gawker falsely accused EasyDNS of cutting off Wikileaks (it was EveryDNS), then acted like jackasses when called on it.

    http://blogs.villagevoice.com/runninscared/2010/12/gawker_refuses.php

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
    1. Re:EasyDNS by cyclocommuter · · Score: 4, Informative

      Not only that, Gawker seems to have an ongoing battle with Wikileaks, Assange, and anon via posts like this and this. They also appear to be taunting anon to hit them if they can... looks like they got what they wished for although as the saying goes, any publicity is good publicity... especially for the Gawker media empire.

    2. Re:EasyDNS by lanner · · Score: 2

      I have to agree with the "jackasses" comment being well deserved. They falsely accused someone of wrong, tried to quietly correct it, then insult anyone who called them out on their mistake, including those who they wronged.

      Being wrong is one thing, but how they handled it turned the editors into "jackasses".

    3. Re:EasyDNS by Grizzley9 · · Score: 3

      They've got an ongoing battle with their own commenters as well, esp articles like this one that got many many accounts banned if you disagreed with the article "writer" (Joel): http://gizmodo.com/5687692/you-write-bias-journalism-and-i-read-derp

  19. Re:orly by Ant+P. · · Score: 2

    Given the contempt they apparently hold for their own users, I don't think they're concerned all that much with protecting those users' data in the first place.

  20. Re:uh by Scorpinox · · Score: 3

    I took this as a sign to change all my passwords. It's been a pain in the ass honestly, and provided a nice overview of who is is good at letting you change passwords and who sucks. ICQ so far is by far the worst, you can't change it through their website, so you have to download their client, plus they don't allow special characters. Ebay's was really hard to find where to change it as well.

    I just went through my bookmarks, starting with the imporant stuff and working my way down. Unfortunately, there are surely some sites i've forgotten. I'll have to change them as they come up, but are mostly throwaway accounts anyway.

  21. Re:Throwaway Email by plover · · Score: 3, Insightful

    You don't even need to register a throwaway address for Hulu or sites like it. Enter bugmenot, savior of the net.

    Bugmenot unfortunately lost their courage a few years ago when they changed the way they function. I suspect they were threatened by a lawsuit. Now, any domain or site owner can request that bugmenot exclude their site from participating, and I've found that so many of the popular ones do that it's lost all practical value for me.

    I now use mailinator for all my throwaway registrations, then if I care in the least I change the password just in case someone else reads from the same random email name that I did. I usually don't. For more "durable" sites where I'm likely to participate over a longer time, I'll create a unique sneakemail address and keep them around forever. When something like the Gizmodo breach happens I simply flag them as spam, and they plonk all the email from them for me. I've had to do that a couple of times now. I find their service is well worth the $24/year.

    --
    John
  22. Re:Encrypted? Hashed? by plover · · Score: 2

    Having people reinvent it constantly is counterproductive to your goal. What we need are a few people who actually know what they're doing to design it, and for everybody else to use that.

    How about Kerberos, versions 1-4? Oh, wait. Bad example.

    My point is that MIT has the people who not only know what they're doing, but are the ones who often define the very security practices the rest of us rely on. And even they needed to get to version 5 before they got it right (for current definitions of "right").

    I'm certainly not saying that ShmooCMS is going to do a better job than MIT did with kerberos at defining an unhackable protocol. They're not. I am saying to "be mindful of what you rely on", because even the best systems are not likely to remain secure forever.

    --
    John
  23. Re:Throwaway Email by TubeSteak · · Score: 3, Interesting

    I now use mailinator for all my throwaway registrations, then if I care in the least I change the password just in case someone else reads from the same random email name that I did.

    I put common e-mails @mailinator into the "forgot password" field when i need a login.
    It works more often than not.

    --
    [Fuck Beta]
    o0t!
  24. Re:I've lost track of my passwords... by PReDiToR · · Score: 3, Interesting

    https://addons.mozilla.org/en-US/firefox/addon/3282/

    Think up a new password. Just one.
    Pass = "PcbEn!"
    The mnemonic for that password is "Passwords Can Be Easy Now!"

    Now use that one simple password to create stupidly complex passwords for the sites you visit by using Password Hasher.

    Every site you go to will have it's own unique mix of 26 upper, lower, numbers, symbols (if it supports it) that can be easily recreated in seconds without ever being written down or stored electronically.

    All you have to remember is that passwords can be easy now.

    Example password for Slashdot using this example is "nRP2zGk56sYN8IMUyFR/XpIx45" which is out of the brute force range this year and probably next year too.

    --

    Do not meddle in the affairs of geeks for they are subtle and quick to anger