Forgot your password?
typodupeerror
Security Your Rights Online

Gawker Source Code and Databases Compromised 207

Posted by samzenpus
from the let's-see-what-we-have dept.
An anonymous reader writes "Passwords and personal data for 1.3 million Gawker Media readers — this includes readers of sites like Gizmodo, Lifehacker, Kotaku, and io9 — have been released as a BitTorrent by a group of hackers called Gnosis, who also managed to gain access to both the Gawker CMS and Gizmodo's Twitter account. Gawker confirms and urges readers to change their passwords: 'Our user databases do indeed appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change the password on Gawker (GED/commenting system) and on any other sites on which you've used the same passwords. Out of an abundance of caution, you should also change your company email password and any passwords that may have appeared in your email messages. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems.'"
This discussion has been archived. No new comments can be posted.

Gawker Source Code and Databases Compromised

Comments Filter:
  • Re:Goodwill? (Score:4, Interesting)

    by the phantom (107624) on Sunday December 12, 2010 @07:26PM (#34530936) Homepage
    Parse that last sentence again. Gawker had at least one vulnerability that they did not know about. One or more black hats found that vulnerability, and exploited it. In the same situation, white hats would have found the vulnerability and reported it. They were relying on the goodwill of white hats to report errors, rather than being more proactive themselves, and got pwned. This is, they say, embarrassing, and a situation that they should not have been in.
  • by Anonymous Coward on Sunday December 12, 2010 @07:26PM (#34530938)

    Leaks of information are good.

  • Re:Further Lessons (Score:4, Interesting)

    by dwarfsoft (461760) on Sunday December 12, 2010 @08:00PM (#34531088) Homepage

    One benefit of having a domain is having forward all for %.com@domain.com. That way you can see which sites got compromised or which accounts got onsold. They can be easily blocked too.

    Still, I do prefer using throwaway email accounts, or not signing up if the content is readily available without registering.

  • by SuperBanana (662181) on Sunday December 12, 2010 @08:36PM (#34531184)
    The real value here is that we'll get to see who has been astroturfing one of the "most popular" blog networks...and dumb enough to use obvious personal or work email addresses. In fact, it wouldn't surprise me if Gawker copywriters were 'turfing their own stories too, given how much emphasis Gawker places on story viewcounts.
  • by Anonymous Coward on Sunday December 12, 2010 @08:46PM (#34531214)

    It's a pretty good textboox example of how NOT to secure a website (not to mention a major one). I checked out the README, and it's rather embarrassing. Trivial leetspeak for root passwords, publicly accessible MySQL servers, stuff running Linux 2.6.18 compiled back in 2007 (there have been multiple local root exploits since then), ridiculously insecure passwords for admin accounts, people using the same password everywhere... They also appear to be using ancient DES crypt() for their website user passwords (that means only the first 8 characters of user/commenter passwords on the site matter). Really, it's no surprise that they were broken into through every possible orifice and then some. That's not counting the failure to react when they noticed something was off (which they did) before it was way too late.

  • Re:Throwaway Email (Score:4, Interesting)

    by TubeSteak (669689) on Monday December 13, 2010 @02:54AM (#34532364) Journal

    I now use mailinator for all my throwaway registrations, then if I care in the least I change the password just in case someone else reads from the same random email name that I did.

    I put common e-mails @mailinator into the "forgot password" field when i need a login.
    It works more often than not.

  • by PReDiToR (687141) on Monday December 13, 2010 @04:54AM (#34532620) Homepage Journal
    https://addons.mozilla.org/en-US/firefox/addon/3282/ [mozilla.org]

    Think up a new password. Just one.
    Pass = "PcbEn!"
    The mnemonic for that password is "Passwords Can Be Easy Now!"

    Now use that one simple password to create stupidly complex passwords for the sites you visit by using Password Hasher.

    Every site you go to will have it's own unique mix of 26 upper, lower, numbers, symbols (if it supports it) that can be easily recreated in seconds without ever being written down or stored electronically.

    All you have to remember is that passwords can be easy now.

    Example password for Slashdot using this example is "nRP2zGk56sYN8IMUyFR/XpIx45" which is out of the brute force range this year and probably next year too.

"Your mother was a hamster, and your father smelt of elderberrys!" -- Monty Python and the Holy Grail

Working...