If you’ve got a commenting account on a Gawker-brand site (Kotaku, Gizmodo, Lifehacker, io9, Jezebel, Jalopink, etc.), then you can thank Anonymous (actually, a hacking group called Gnosis is claiming responsibility) for compromising your password, username, and email (although they’d say to thank Gawker Media for having shitty security and pissing off the Internets) on that site.
A pretty major hack job pulled off an innumerable amount of things (gaining deep access to numerous Gawker Media sites and offshoots, as well as admin accounts elsewhere across the net), but the chief worry for the end-user is that a database containing about 1,300,000 user accounts was snagged before the intrusion was detected.
Although Gawker did encrypt the passwords, their system only actively checks the first 8 digits of each password (decreasing the complexity of the decoding job) and they also used a very predictable salt for each password hash, making most of the passwords ludicrously easy to obtain.
Obviously if you’ve got an account on Gawker, you’ll want to change your password. But if you use the same password on other sites and have a similar username or use the same email address, you might want to strongly consider changing your passwords elsewhere, too.
Yes, of course, using the same password across the board is foolish, and having a less-than-8-character password isn’t fantastic in this day and age (passwords longer than that would only be partially obtainable via this particular hack), so feel free to berate people for this, but then again, let’s face it: this is a freaking commenting account on a glorified blog or two. It’s sure as heck not uncommon to use the same password across such menial services.
Of course, when I realized that I had the same password tied to my Amazon account (which provides easy access to credit card ordering powers) and Steam login, I hopped right along to start changing it everywhere I went.
Figured I may as well alert the community here as well. . .