Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gawker Source Code and Databases Compromised

Posted by samzenpus on from the let's-see-what-we-have dept.

An anonymous reader writes "Passwords and personal data for 1.3 million Gawker Media readers — this includes readers of sites like Gizmodo, Lifehacker, Kotaku, and io9 — have been released as a BitTorrent by a group of hackers called Gnosis, who also managed to gain access to both the Gawker CMS and Gizmodo's Twitter account. Gawker confirms and urges readers to change their passwords: 'Our user databases do indeed appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change the password on Gawker (GED/commenting system) and on any other sites on which you've used the same passwords. Out of an abundance of caution, you should also change your company email password and any passwords that may have appeared in your email messages. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems.'"

29 of 207 comments (clear)

  1. So much for offloading infrastructure outside. by sethstorm · · Score: 3, Insightful

    Perhaps this should give them a lesson about going overkill on the whole "outsourcing" thing.

    --
    Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
    1. Re:So much for offloading infrastructure outside. by cgenman · · Score: 4, Insightful

      I'm vaguely surprised that companies aren't held legally liable if their outsourcing companies don't adhere to certain security standards. It shouldn't be any different if a company you outsource to in India or a division of your company in Idaho leave your clients information unsecured.

      --
      The ______ Agenda
  2. Goodwill? by Cyberllama · · Score: 4, Insightful

    I appreciate taking this sort of thing with good nature, but that might be a bit generous. Goodwill stopped at the "released a torrent of all the users passwords and personal data". Now my email address is going to get spammed . . . .

    1. Re:Goodwill? by LighterShadeOfBlack · · Score: 5, Insightful

      He's not calling what the hackers did 'goodwill', he's saying they shouldn't allow a situation to come about where the goodwill (or lack thereof) is the difference between an e-mail advising of the vulnerability and... well... this. In other words he's taking responsibility for the vulnerability in their systems instead of trying to say that it's all the evil hackers fault for exploiting it. A refreshing change from the usual response to this kind of thing.

      --
      Spelling mistakes, grammatical errors, and stupid comments are intentional.
    2. Re:Goodwill? by the+phantom · · Score: 3, Interesting

      Parse that last sentence again. Gawker had at least one vulnerability that they did not know about. One or more black hats found that vulnerability, and exploited it. In the same situation, white hats would have found the vulnerability and reported it. They were relying on the goodwill of white hats to report errors, rather than being more proactive themselves, and got pwned. This is, they say, embarrassing, and a situation that they should not have been in.

      --
      Rhapsody in Numbers
  3. Someone forgot to log out of the CMS... by RagingMaxx · · Score: 5, Funny

    ... on their iPhone 4, which for some reason they appear to have left at the bar...

  4. Good thing I don't use those services... by noidentity · · Score: 4, Funny

    ...and instead use Facebook to protect my privacy. Wait, why are you laughing?

  5. Further Lessons by alvinrod · · Score: 4, Insightful

    Not sure why anyone would register with any of the Gawker sites, but why on earth you would ever give your actual email address to half of these websites is beyond me. If they require you to provide an email address to register, use a throwaway address from something like mailinator or the other sites like it. Yes, someone could take over the account if the email address is posted, but for almost all of those sites the account serves no purpose outside of being able to post.

    I'm not even sure why they require email addresses. Reddit is one of the few sites I've seen get it right. They don't require an email address to register, but warn you that if you don't include one there is no way to recover the password for the account.

    1. Re:Further Lessons by dwarfsoft · · Score: 4, Interesting

      One benefit of having a domain is having forward all for %.com@domain.com. That way you can see which sites got compromised or which accounts got onsold. They can be easily blocked too.

      Still, I do prefer using throwaway email accounts, or not signing up if the content is readily available without registering.

      --
      Cheers, Chris
    2. Re:Further Lessons by PopeRatzo · · Score: 3, Funny

      Not sure why anyone would register with any of the Gawker sites

      Actually, this makes me think this "Gnosis" group might have done us a favor by releasing the names of Gawker readers.

      If aliens should attack the Earth looking to harvest DNA, we now have a list of people that won't be missed.

      --
      You are welcome on my lawn.
  6. The torrent file... by Anonymous Coward · · Score: 5, Informative

    http://thepiratebay.org/torrent/6034669

    1. Re:The torrent file... by Anonymous Coward · · Score: 5, Insightful

      So I can check if my address and password were included so I know whether to go round changing them everywhere...

    2. Re:The torrent file... by alvinrod · · Score: 4, Insightful

      A lesson in how trivial it is for anyone to get your email address and other information when you provide it to third parties who may become compromised. I hope it gets voted to +5 just so it sinks in for a few people and they aren't so careless with their personal information in the future.

      Gawker honestly shouldn't even store the emails. If someone loses a password they can just make a new account. I don't want to sound mean, but if you can't be a good example you might as well serve as a horrible warning.

    3. Re:The torrent file... by zonker · · Score: 5, Informative

      Someone uploaded the database to Google's Fusiontable's for you to search for your info against:

      http://www.google.com/fusiontables/DataSource?dsrcid=350662

      Instructions for use:

      1. Get the MD5 of your email address (lowercase)
      - Online: http://pajhome.org.uk/crypt/md5/
      - Shell: $ echo -n mylowercase@email.com|md5sum
      2. Search for the hash (via Show Options)
      3. Change your password

      By the way for Mac users like me that command won't work. Try md5 -r instead of md5sum

      --

      Large print giveth, and the small print taketh away

    4. Re:The torrent file... by Anonymous Coward · · Score: 3, Interesting

      It's a pretty good textboox example of how NOT to secure a website (not to mention a major one). I checked out the README, and it's rather embarrassing. Trivial leetspeak for root passwords, publicly accessible MySQL servers, stuff running Linux 2.6.18 compiled back in 2007 (there have been multiple local root exploits since then), ridiculously insecure passwords for admin accounts, people using the same password everywhere... They also appear to be using ancient DES crypt() for their website user passwords (that means only the first 8 characters of user/commenter passwords on the site matter). Really, it's no surprise that they were broken into through every possible orifice and then some. That's not counting the failure to react when they noticed something was off (which they did) before it was way too late.

  7. Re:Encrypted? Hashed? by causality · · Score: 4, Funny

    They probably did. It's a press release, and a one-way cryptographic hash is close enough to "encrypted" and a helluva lot shorter and more understandable to a non-pedantic audience.

    At least they didn't say "scrambled".

    --
    It is a miracle that curiosity survives formal education. - Einstein
  8. Re:Children suck by causality · · Score: 4, Insightful

    We considered what action we would take, and decided that the Gawkmedia “empire” needs to be brought down a peg or two.

    This is the major problem with the internet - we let children on it.

    Really kids? Go play somewhere else and let the adults have peace and quiet. You don't need to piss on everything just to prove you're alive. The smell of your unwashed armpits is already ample demonstration.

    There's no indication that the people who compromised Gawker were minors... but to respond to your larger sentiment...

    People who have malicious intentions and do bad things exist. They exist in large numbers. It is simply not possible to identify and stop every last one of them. It's not even feasible to significantly reduce their numbers. Not even the power of law can accomplish that. Indeed, law is a tool for managing this fact of life and has no real power to completely prevent it. There's nothing anyone can do about this reality. It can only be acknowledged, accepted, and worked with. Denial and delusion are your only other options.

    There's one thing we can do, however. We can harden the targets. We can secure the systems for which each of us is responsible. We can realize that compromises like this are preventable and then take steps to prevent them. We can learn from the example of those who failed to do so. At the end of the day, we can realize that we're not helpless victims completely at the mercy of random chance or luck, but rather, that there is a great deal we can do to become an extremely difficult target.

    Posts like this one are written in the spirit of this understanding. It highlights that the owners of those systems acknowledge that they have failed, have accepted responsibility for that, and therefore have the fewest obstacles to learning from this experience and overcoming it. An attitude of blaming everything on "those evil hackers", though they truly have done wrong, would practically guarantee that nothing is learned and no skills are improved.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  9. That's not the most insecure part by The+Moof · · Score: 5, Insightful

    I find that message from Gawker amusing because they don't even secure their login form with SSL. They're concerned about the database getting stolen with unreadable passwords that might be cracked with enough time, but they turn a blind eye to the fact that authentication information is sent in the clear from the form...

  10. Re:Encrypted? Hashed? by Arancaytar · · Score: 4, Funny

    Waht? Smcrbalnig is a pfretlecy surece epoitrcyn mhtoed for prdsoaswss!

  11. Re:Children suck by causality · · Score: 3, Insightful

    I didn't say minors. I said "children."

    I chose that word carefully.

    Your points are all very correct, of course. I am just screaming to an apathetic universe.

    Point taken. In fact the biggest single reason why I am concerned about the long-term well-being of the USA is that most of its "adults" are petty, indulgent, overgrown children with short memories. In that spirit I can see why you had good reason to choose that word as you did.

    I maintain that the more adult thing to do is to overcome such events by learning their lesson, rather than indulging in the "blame game" and making it into a 5-minute hate. Not only is that the constructive solution, it also limits the damage of this intrusion to computer systems only. The anger and hatred merely serves the intruder(s) by extending the damage into the personal realm of your own well-being.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  12. Reminds me of the LM hash by yuhong · · Score: 4, Informative

    From http://pastebin.com/9rRmf6W5:
    "Gawker uses a really outdated hashing algorithm known as DES (Data Encryption Standard).
    Because DES has a maximum of 8chars using a password like "abcdefgh1234" only the
    first 8 characters "abcdefgh" are encrypted and stored in the database. If your
    password is longer than 8 characters you only need to enter the first 8 characters
    to log in! "
    The LM hash generated two hashes using DES from two 7 byte parts of a 14 byte password.
    Basically they use each individual 7 byte part as a DES key to encrypt a fixed string.
    Repeat this twice for each 7 byte part, and concatenate the results, and you get the LM hash.

  13. the true gem here: ID'ing astroturfers by SuperBanana · · Score: 4, Interesting

    The real value here is that we'll get to see who has been astroturfing one of the "most popular" blog networks...and dumb enough to use obvious personal or work email addresses. In fact, it wouldn't surprise me if Gawker copywriters were 'turfing their own stories too, given how much emphasis Gawker places on story viewcounts.

    --
    Please help metamoderate.
  14. EasyDNS by Tridus · · Score: 3, Insightful

    It's nice to see a bit of karmic justice after Gawker falsely accused EasyDNS of cutting off Wikileaks (it was EveryDNS), then acted like jackasses when called on it.

    http://blogs.villagevoice.com/runninscared/2010/12/gawker_refuses.php

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
    1. Re:EasyDNS by cyclocommuter · · Score: 4, Informative

      Not only that, Gawker seems to have an ongoing battle with Wikileaks, Assange, and anon via posts like this and this. They also appear to be taunting anon to hit them if they can... looks like they got what they wished for although as the saying goes, any publicity is good publicity... especially for the Gawker media empire.

    2. Re:EasyDNS by Grizzley9 · · Score: 3

      They've got an ongoing battle with their own commenters as well, esp articles like this one that got many many accounts banned if you disagreed with the article "writer" (Joel): http://gizmodo.com/5687692/you-write-bias-journalism-and-i-read-derp

  15. Re:uh by Scorpinox · · Score: 3

    I took this as a sign to change all my passwords. It's been a pain in the ass honestly, and provided a nice overview of who is is good at letting you change passwords and who sucks. ICQ so far is by far the worst, you can't change it through their website, so you have to download their client, plus they don't allow special characters. Ebay's was really hard to find where to change it as well.

    I just went through my bookmarks, starting with the imporant stuff and working my way down. Unfortunately, there are surely some sites i've forgotten. I'll have to change them as they come up, but are mostly throwaway accounts anyway.

  16. Re:Throwaway Email by plover · · Score: 3, Insightful

    You don't even need to register a throwaway address for Hulu or sites like it. Enter bugmenot, savior of the net.

    Bugmenot unfortunately lost their courage a few years ago when they changed the way they function. I suspect they were threatened by a lawsuit. Now, any domain or site owner can request that bugmenot exclude their site from participating, and I've found that so many of the popular ones do that it's lost all practical value for me.

    I now use mailinator for all my throwaway registrations, then if I care in the least I change the password just in case someone else reads from the same random email name that I did. I usually don't. For more "durable" sites where I'm likely to participate over a longer time, I'll create a unique sneakemail address and keep them around forever. When something like the Gizmodo breach happens I simply flag them as spam, and they plonk all the email from them for me. I've had to do that a couple of times now. I find their service is well worth the $24/year.

    --
    John
  17. Re:Throwaway Email by TubeSteak · · Score: 3, Interesting

    I now use mailinator for all my throwaway registrations, then if I care in the least I change the password just in case someone else reads from the same random email name that I did.

    I put common e-mails @mailinator into the "forgot password" field when i need a login.
    It works more often than not.

    --
    [Fuck Beta]
    o0t!
  18. Re:I've lost track of my passwords... by PReDiToR · · Score: 3, Interesting

    https://addons.mozilla.org/en-US/firefox/addon/3282/

    Think up a new password. Just one.
    Pass = "PcbEn!"
    The mnemonic for that password is "Passwords Can Be Easy Now!"

    Now use that one simple password to create stupidly complex passwords for the sites you visit by using Password Hasher.

    Every site you go to will have it's own unique mix of 26 upper, lower, numbers, symbols (if it supports it) that can be easily recreated in seconds without ever being written down or stored electronically.

    All you have to remember is that passwords can be easy now.

    Example password for Slashdot using this example is "nRP2zGk56sYN8IMUyFR/XpIx45" which is out of the brute force range this year and probably next year too.

    --

    Do not meddle in the affairs of geeks for they are subtle and quick to anger