Gawker Sites Hacked, 1.3 Mil Passwords Compromised

Looks like I got released too.

Meh, I don’t think that I used that password for important sites. My important passwords are all different ones. I only use my “garbage” passwords for sites like Kotaku.

I also got an e-mail from blizzard saying that they have added a password reset request to all of their accounts, and they urge people to change their passwords.

I can’t tell if this is a scam or not.

Either way, my WoW password is a wholly unique one, so I am just going to ignore this.

-Jon

Me too, because really, how much do I trust the admins of every random phpBB install I’ve ever registered for? Still, I’d rather not have mkozlows logins all over the internet begin posting spam on various fora, so I went through everything I could find and changed the password. Kind of a pain.

So, I’ve never signed up for an account on any of these sites. Ever. However, I own the domain “probablynot.com” which is apparently one people like to use as fake email addresses when signing up for sites…

Thanks to the emails and the password reset page, I now have 27 accounts for these websites.

Well, somebody’s taking advantage of the breach. This morning I found an email in my inbox from a friend who was suddenly touting the benefits of acai berry for weight loss and hidden linking to Russian web sites… His email account had been compromised to get his contact list, and after a bit of digging we finally made the Gawker connection; he admitted that he’d used the same password for his Kotaku account.

The acai berry people should just be rounded up.

Oh, i don’t care about the gawker account being compromised. My concern was with 8 of 10 characters known, it might be easy to guess my account on other sites w/ the same e-mail and/or username.

Luckily, though, gawker got my junk password scheme, so its not really affecting anything I care about too much.

LinkedIn was smart about all this. They checked every single e-mail address that was released against their own database and forced every one of those people to reset their password.

That might be smart, and Blizzard is trying to do the same thing, but I have a unique password for that account and I will not be pushed into changing it because most other people are morons.

This has annoyed tremendously.

I was notified by both LinkedIn and Blizzard that I should change my password, and the Slate widget agrees that my e-mail address is in the list.

Now, I don’t register for forums with any important password, but I do tend to use a “garbage” password for that type of site, with a very easy to figure-out algorithm to personalize them slightly. I’ve been going through my 1Password database and then hitting the sites which I previously used those garbage passwords on, replacing them with 1Password generated 10+ chars, at least 1 symbol and 2 digits passwords. It’s taking hours, and I’m not even halfway through the list.

sigh Hoist with my own petard.

Protip:

Pick a memorable token. Generate a password for each site that is the interleaving of that token with the site’s name. (domain name, common name, what have you). For example, if your token is SH!TB0NERZ, your password for qt3 might be:

SqHu!aTrBt0eNrEtRoZ

Cryptograpically strong password. Make sure you have a non-alpahnum in the first 4 characters so it gets in the passwords of sites that only use 8 significants.

To make it slightly better, perhaps perform a small conversion on the domain name: reverse it, ROT13 it, something to help reduce the number of semi-adjacent somewhat-predictable
characters in it.

(I’m not telling you what mine is! So there!)

Won’t save you much time in your current task, but is much more memorable then 10 random characters.

Consider using LastPass. Handles all that stuff for you, gives you as much control over password complexity as you desire, can sync across all your browsers and is super, super easy to set up.

That’s what 1Password does, too, though it originated on the Mac. It has clients on everything now, and good cloud sync with Dropbox.

I tried this, and then ran into too many websites that wouldn’t allow special characters, or wouldn’t allow the one(s) I wanted to use, or wouldn’t allow capitals and ended up having mangled tokens and remembering their silly rules to apply to my attempt at making passwords I could remember was harder than just using passwords I could remember.

I just had my goddam Steam account hijacked because I forgot to change its password from the Gawker leak.

ARGH.

Wait seriously? Holy shit. I just assumed that because there were so many names on the list we’d have a little more time to batten down the hatches. Dammit.

brb

Alright, googled XPav, and combinations of “forum”, “phpbb”, “vbulletin”, and changed around 20 accounts that I never use.

That’s what I get for making one goddamn comment on Gizmodo.

I just assumed there would be too many accounts for any 1 person to be targeted. Damn. I don’t know what I used that password for, I don’t even know what that password was.

Uggh. I’ll bet apple is behind this.

This this and this. I love Lastpass. Every site I create an account on has a different password.

I hope they integrate Xmarks with it rather than leaving them as separate things.

Gawker related site “contributing editors” (what a crock, these guys think they are editors? haha) from LifeHacker (oh, the irony) was on NPR MarketPlace spinning like a top. Reading between the not so subtle lines, they are telling users “hey it’s your own fucking fault for having the same passwords everywhere.”