Gawker Sites Hacked, 1.3 Mil Passwords Compromised

If you’ve got a commenting account on a Gawker-brand site (Kotaku, Gizmodo, Lifehacker, io9, Jezebel, Jalopink, etc.), then you can thank Anonymous (actually, a hacking group called Gnosis is claiming responsibility) for compromising your password, username, and email (although they’d say to thank Gawker Media for having shitty security and pissing off the Internets) on that site.

A pretty major hack job pulled off an innumerable amount of things (gaining deep access to numerous Gawker Media sites and offshoots, as well as admin accounts elsewhere across the net), but the chief worry for the end-user is that a database containing about 1,300,000 user accounts was snagged before the intrusion was detected.

Although Gawker did encrypt the passwords, their system only actively checks the first 8 digits of each password (decreasing the complexity of the decoding job) and they also used a very predictable salt for each password hash, making most of the passwords ludicrously easy to obtain.

Obviously if you’ve got an account on Gawker, you’ll want to change your password. But if you use the same password on other sites and have a similar username or use the same email address, you might want to strongly consider changing your passwords elsewhere, too.

Yes, of course, using the same password across the board is foolish, and having a less-than-8-character password isn’t fantastic in this day and age (passwords longer than that would only be partially obtainable via this particular hack), so feel free to berate people for this, but then again, let’s face it: this is a freaking commenting account on a glorified blog or two. It’s sure as heck not uncommon to use the same password across such menial services.

Of course, when I realized that I had the same password tied to my Amazon account (which provides easy access to credit card ordering powers) and Steam login, I hopped right along to start changing it everywhere I went.

Figured I may as well alert the community here as well. . .

thanks! upvoted

Goddamn it.

Lovely, my password there is 10 characters, but if someone has the first 8, brute forcing the other 2 won’t be too hard.

Thankfully anything sensitive of mine has a completely different scheme, but there are a lot of non-sensitive sites that have the same or similar password as I have on gawker.

Also, here is a log of the attack if you with to peruse it.
http://pastebin.com/9rRmf6W5

Wow, thanks!

If they were cut off at 8 chars, the last 2 shouldn’t be needed and you should be able to login already with the first 8 chars. On the other hand i doubt, lots of people will brute force the hashes.
The hacker stated they found approximately 250k passwords with a limited amount of time (easy passwords -> rainbow tables) and said they think they would be close to 500k if they had more time.

Thankfully anything sensitive of mine has a completely different scheme, but there are a lot of non-sensitive sites that have the same or similar password as I have on gawker.

Having had such a experience in the past (password used at a lot of places, then on place gets hacked) i switched to lastpass, with one master password and different, complex passwords for every website.
I wouldn’t recommend it to everyone as you have to trust the software publisher, as they safe your passwords (encrypted) on their servers.
As an alternative I know of roboforms, which I think has the option to have your passwords solely on your pc.

http://thepiratebay.org/torrent/6034669/Gawkmedia_source_code___database_release_(1_300_000_rows).

You may be interested in downloading this (specifically the file full_db.log) to check to see if you’re amongst the affected. Of course, it is also possible that you might use this to more nefarious ends, but I’ll trust that Qt3 is above that sort of thing. I was, hence my hurried password changing (mine in particular wasn’t cracked, but as before, it wouldn’t be difficult to do).

I did a quick check with the torrent above (interesting results):
My current email address and/or user accounts if I have any are not in there.
In fact, it doesn’t look like I ever registered there.
BUT, apparently two people using my old email address have. Scary. Never touching that email address again.

Also, is Gawker just a complete joke now? Gizmodo’s is like Engadget for self-fellating assholes, Lifehacker (which used to be a favorite of mine) recently encouraged fraud on at least one occasion, and Kotaku is extremely hard to take seriously.

Karmas a bitch, gawker. Suck it.

Gizmodo still pisses me off for their immature CES bullshit a few years ago, when they went around with a universal infrared remote and fucked with live presentations, and they were so fucking proud of it afterwards.

I also don’t see anyone can defend them for the Apple situation. They bought a stolen item then tried to blackmail Apple with it. And then tried to play the victim.
Links to them advising fraud.

Gawker Media has always been (if the name wasn’t a giveaway) about being the new tabloid media for the doublefrap & smart set. There was a pretty damning critique of Jezebel a couple of years ago, about how the cake was a lie (reneged on promised bonuses) and tacitly encouraged it’s female staff to whore themselves out for the page hits.

That text file doesn’t actually provide any interesting information except that the site editors used crappy passwords. In particular, they don’t talk about how the hackers got access in the first place. It’s all just a bunch of “you suck” taunts, passwords, and vandalism logs. They very likely did use an off-the-shelf exploit. Gawker clearly didn’t prioritize security, so why spend the extra effort?

Not to imply that Gawker is unusually stupid for not prioritizing security. Nobody does, until they get hit. Security is expensive and annoying. Taunting the internet at large to attack them after not prioritizing security, well, that was stupid.

I’m not on there, huzzah! Then again, I haven’t looked at Gizmodo in years (it sucks) and haven’t looked at Wonkette since that thing with the anal intern. Either I never registered or the deleted my account.

I’m behind on terminology. What does “The cake was a lie” mean?

Nice, I just got an email from some random group telling me my password was compromised.

Wonkette was sold to someone else or went independent (forget which), but it’s far better than anything on Gawker right now. (As is Gawker vets’ startup blog The Awl.)

Nick Denton’s Flickr account was also compromised.

I can’t even remember if I’ve ever registered for a Gawker site. I guess I should download the torrent and check? Feels weird to do that!

Yep I’m in the same boat. Weird feeling.

I’m finding there are a ton of sites that don’t allow special characters for passwords, and also cannot identifiy between uppercase/lowercase either. Why is that? Seems like they’re just making it easier for someone to brute-force through their passwords.