Gawker Media’s servers were compromised last weekend, resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. If you have commented on any of these sites, your account might have been hacked too.
A group of attackers have been able to compromise the entire database of Gawker Media’s web properties. Sensitive information including staff conversations, their private passwords used within the network and passwords also used by people who have registered to comment has been outputted by Gnosis, a hacker group, creating a 500MB torrent file, residing on the popular torrent tracker ThePirateBay. This torrent is now taken down.
As one commenter points out:
The passwords were not stored in the database, only their hashes were. Once the thieves had the database, they took common passwords like “password” and “qwerty” etc., and ran them through e.g. hashcalc (using whatever hash the database used – it wouldn’t be hard to figure out by hashing your own password and comparing the result to what’s stored in the database for your account)… then search the database for the hash and you can assume all the hits used that same password, then move on to hashing the next common word/sequence.
It’s even possible (but not very probable with hashes like SHA256, or even MD5) that more than one combination of letters/symbols/numbers would match the hash… and that’s All the entered password has to do – match the hash – and the database tells the authentication process that the passwords matched.Anyway, that’s not exactly “hacking” – that’s a brute-force dictionary attack. And
the thieves could have just as easily compromised your account[s] without stealing the database… all they would need is the email address you use, and eventually they could brute force it, unless the authentication process ‘locks’ your account after, say, 5 incorrect login attempts or something.
Was My Account Compromised?
Mine sure was compromised. But Fortunately I don’t have same passwords for all my accounts. You can check whether your email address was associated with a hacked account by using this simple widget.
What To Do Next?
Lifehacker blog has published an FAQ on the issue. Essentially, if you logged in to comment on Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, io9, or Fleshbot you need to change the password for both your Gawker account and anywhere else you use that password. If you fit that bill, I recommend you change passwords on both accounts immediately. And at-least this time don’t have the same password for both the accounts. You might want to read “Tips For Stronger Passwords”
As a security measure LinkedIn has reset the password of all the accounts linked with the leaked e-mail addresses.
Gawker says it is working on an ‘Account Delete’ tool, which will be available soon. The only exception to all this is if you logged in via Facebook Connect, in which case you’ll be safe.