Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gawker Source Code and Databases Compromised

Posted by samzenpus on from the let's-see-what-we-have dept.

An anonymous reader writes "Passwords and personal data for 1.3 million Gawker Media readers — this includes readers of sites like Gizmodo, Lifehacker, Kotaku, and io9 — have been released as a BitTorrent by a group of hackers called Gnosis, who also managed to gain access to both the Gawker CMS and Gizmodo's Twitter account. Gawker confirms and urges readers to change their passwords: 'Our user databases do indeed appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change the password on Gawker (GED/commenting system) and on any other sites on which you've used the same passwords. Out of an abundance of caution, you should also change your company email password and any passwords that may have appeared in your email messages. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems.'"

18 of 207 comments (clear)

  1. Goodwill? by Cyberllama · · Score: 4, Insightful

    I appreciate taking this sort of thing with good nature, but that might be a bit generous. Goodwill stopped at the "released a torrent of all the users passwords and personal data". Now my email address is going to get spammed . . . .

    1. Re:Goodwill? by LighterShadeOfBlack · · Score: 5, Insightful

      He's not calling what the hackers did 'goodwill', he's saying they shouldn't allow a situation to come about where the goodwill (or lack thereof) is the difference between an e-mail advising of the vulnerability and... well... this. In other words he's taking responsibility for the vulnerability in their systems instead of trying to say that it's all the evil hackers fault for exploiting it. A refreshing change from the usual response to this kind of thing.

      --
      Spelling mistakes, grammatical errors, and stupid comments are intentional.
  2. Someone forgot to log out of the CMS... by RagingMaxx · · Score: 5, Funny

    ... on their iPhone 4, which for some reason they appear to have left at the bar...

  3. Good thing I don't use those services... by noidentity · · Score: 4, Funny

    ...and instead use Facebook to protect my privacy. Wait, why are you laughing?

  4. Further Lessons by alvinrod · · Score: 4, Insightful

    Not sure why anyone would register with any of the Gawker sites, but why on earth you would ever give your actual email address to half of these websites is beyond me. If they require you to provide an email address to register, use a throwaway address from something like mailinator or the other sites like it. Yes, someone could take over the account if the email address is posted, but for almost all of those sites the account serves no purpose outside of being able to post.

    I'm not even sure why they require email addresses. Reddit is one of the few sites I've seen get it right. They don't require an email address to register, but warn you that if you don't include one there is no way to recover the password for the account.

    1. Re:Further Lessons by dwarfsoft · · Score: 4, Interesting

      One benefit of having a domain is having forward all for %.com@domain.com. That way you can see which sites got compromised or which accounts got onsold. They can be easily blocked too.

      Still, I do prefer using throwaway email accounts, or not signing up if the content is readily available without registering.

      --
      Cheers, Chris
  5. The torrent file... by Anonymous Coward · · Score: 5, Informative

    http://thepiratebay.org/torrent/6034669

    1. Re:The torrent file... by Anonymous Coward · · Score: 5, Insightful

      So I can check if my address and password were included so I know whether to go round changing them everywhere...

    2. Re:The torrent file... by alvinrod · · Score: 4, Insightful

      A lesson in how trivial it is for anyone to get your email address and other information when you provide it to third parties who may become compromised. I hope it gets voted to +5 just so it sinks in for a few people and they aren't so careless with their personal information in the future.

      Gawker honestly shouldn't even store the emails. If someone loses a password they can just make a new account. I don't want to sound mean, but if you can't be a good example you might as well serve as a horrible warning.

    3. Re:The torrent file... by zonker · · Score: 5, Informative

      Someone uploaded the database to Google's Fusiontable's for you to search for your info against:

      http://www.google.com/fusiontables/DataSource?dsrcid=350662

      Instructions for use:

      1. Get the MD5 of your email address (lowercase)
      - Online: http://pajhome.org.uk/crypt/md5/
      - Shell: $ echo -n mylowercase@email.com|md5sum
      2. Search for the hash (via Show Options)
      3. Change your password

      By the way for Mac users like me that command won't work. Try md5 -r instead of md5sum

      --

      Large print giveth, and the small print taketh away

  6. Re:Encrypted? Hashed? by causality · · Score: 4, Funny

    They probably did. It's a press release, and a one-way cryptographic hash is close enough to "encrypted" and a helluva lot shorter and more understandable to a non-pedantic audience.

    At least they didn't say "scrambled".

    --
    It is a miracle that curiosity survives formal education. - Einstein
  7. Re:Children suck by causality · · Score: 4, Insightful

    We considered what action we would take, and decided that the Gawkmedia “empire” needs to be brought down a peg or two.

    This is the major problem with the internet - we let children on it.

    Really kids? Go play somewhere else and let the adults have peace and quiet. You don't need to piss on everything just to prove you're alive. The smell of your unwashed armpits is already ample demonstration.

    There's no indication that the people who compromised Gawker were minors... but to respond to your larger sentiment...

    People who have malicious intentions and do bad things exist. They exist in large numbers. It is simply not possible to identify and stop every last one of them. It's not even feasible to significantly reduce their numbers. Not even the power of law can accomplish that. Indeed, law is a tool for managing this fact of life and has no real power to completely prevent it. There's nothing anyone can do about this reality. It can only be acknowledged, accepted, and worked with. Denial and delusion are your only other options.

    There's one thing we can do, however. We can harden the targets. We can secure the systems for which each of us is responsible. We can realize that compromises like this are preventable and then take steps to prevent them. We can learn from the example of those who failed to do so. At the end of the day, we can realize that we're not helpless victims completely at the mercy of random chance or luck, but rather, that there is a great deal we can do to become an extremely difficult target.

    Posts like this one are written in the spirit of this understanding. It highlights that the owners of those systems acknowledge that they have failed, have accepted responsibility for that, and therefore have the fewest obstacles to learning from this experience and overcoming it. An attitude of blaming everything on "those evil hackers", though they truly have done wrong, would practically guarantee that nothing is learned and no skills are improved.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  8. That's not the most insecure part by The+Moof · · Score: 5, Insightful

    I find that message from Gawker amusing because they don't even secure their login form with SSL. They're concerned about the database getting stolen with unreadable passwords that might be cracked with enough time, but they turn a blind eye to the fact that authentication information is sent in the clear from the form...

  9. Re:Encrypted? Hashed? by Arancaytar · · Score: 4, Funny

    Waht? Smcrbalnig is a pfretlecy surece epoitrcyn mhtoed for prdsoaswss!

  10. Reminds me of the LM hash by yuhong · · Score: 4, Informative

    From http://pastebin.com/9rRmf6W5:
    "Gawker uses a really outdated hashing algorithm known as DES (Data Encryption Standard).
    Because DES has a maximum of 8chars using a password like "abcdefgh1234" only the
    first 8 characters "abcdefgh" are encrypted and stored in the database. If your
    password is longer than 8 characters you only need to enter the first 8 characters
    to log in! "
    The LM hash generated two hashes using DES from two 7 byte parts of a 14 byte password.
    Basically they use each individual 7 byte part as a DES key to encrypt a fixed string.
    Repeat this twice for each 7 byte part, and concatenate the results, and you get the LM hash.

  11. the true gem here: ID'ing astroturfers by SuperBanana · · Score: 4, Interesting

    The real value here is that we'll get to see who has been astroturfing one of the "most popular" blog networks...and dumb enough to use obvious personal or work email addresses. In fact, it wouldn't surprise me if Gawker copywriters were 'turfing their own stories too, given how much emphasis Gawker places on story viewcounts.

    --
    Please help metamoderate.
  12. Re:EasyDNS by cyclocommuter · · Score: 4, Informative

    Not only that, Gawker seems to have an ongoing battle with Wikileaks, Assange, and anon via posts like this and this. They also appear to be taunting anon to hit them if they can... looks like they got what they wished for although as the saying goes, any publicity is good publicity... especially for the Gawker media empire.

  13. Re:So much for offloading infrastructure outside. by cgenman · · Score: 4, Insightful

    I'm vaguely surprised that companies aren't held legally liable if their outsourcing companies don't adhere to certain security standards. It shouldn't be any different if a company you outsource to in India or a division of your company in Idaho leave your clients information unsecured.

    --
    The ______ Agenda