Forgot your password?
typodupeerror
Security Your Rights Online

Gawker Source Code and Databases Compromised 207

Posted by samzenpus
from the let's-see-what-we-have dept.
An anonymous reader writes "Passwords and personal data for 1.3 million Gawker Media readers — this includes readers of sites like Gizmodo, Lifehacker, Kotaku, and io9 — have been released as a BitTorrent by a group of hackers called Gnosis, who also managed to gain access to both the Gawker CMS and Gizmodo's Twitter account. Gawker confirms and urges readers to change their passwords: 'Our user databases do indeed appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change the password on Gawker (GED/commenting system) and on any other sites on which you've used the same passwords. Out of an abundance of caution, you should also change your company email password and any passwords that may have appeared in your email messages. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems.'"
This discussion has been archived. No new comments can be posted.

Gawker Source Code and Databases Compromised

Comments Filter:
  • by sethstorm (512897) on Sunday December 12, 2010 @07:03PM (#34530812) Homepage

    Perhaps this should give them a lesson about going overkill on the whole "outsourcing" thing.

    • Re: (Score:3, Insightful)

      by jhoegl (638955)
      Not 100% sure why this is OT, but okay.

      I can tell you for certain that some companies that are Outsourced do not follow the same security standards that we do. Even if they say they do.
      Bad part? These companies have access to our finances and/or medical records. Outsourcing tech jobs to India was bad enough, think about outsourcing to communist run countries... where they dont give a shit about privacy.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Not entirely sure why communism means privacy is ignored. America seems fairly hell bent on removing the expectation of privacy itself.

      • by cgenman (325138) on Monday December 13, 2010 @05:33AM (#34532686) Homepage

        I'm vaguely surprised that companies aren't held legally liable if their outsourcing companies don't adhere to certain security standards. It shouldn't be any different if a company you outsource to in India or a division of your company in Idaho leave your clients information unsecured.

      • by billcopc (196330)

        Communist-run countries usually aren't bursting at the seams with (semi-)skilled consultants looking for outsourced work.

        The real issue is that when you're paying someone a tiny fraction of the North American rate for a piece of work, the data becomes the more valuable part of the equation. In some cases it can be very attractive to sell that data to a 3rd party for what we might consider peanuts, but might represent a month's salary to someone else.

  • Goodwill? (Score:4, Insightful)

    by Cyberllama (113628) on Sunday December 12, 2010 @07:04PM (#34530826)

    I appreciate taking this sort of thing with good nature, but that might be a bit generous. Goodwill stopped at the "released a torrent of all the users passwords and personal data". Now my email address is going to get spammed . . . .

    • Further Lessons (Score:5, Insightful)

      by alvinrod (889928) on Sunday December 12, 2010 @07:13PM (#34530872)
      Not sure why anyone would register with any of the Gawker sites, but why on earth you would ever give your actual email address to half of these websites is beyond me. If they require you to provide an email address to register, use a throwaway address from something like mailinator [mailinator.com] or the other sites like it. Yes, someone could take over the account if the email address is posted, but for almost all of those sites the account serves no purpose outside of being able to post.

      I'm not even sure why they require email addresses. Reddit is one of the few sites I've seen get it right. They don't require an email address to register, but warn you that if you don't include one there is no way to recover the password for the account.
      • Hmm. I've done okay so far with tiered emails, because lots of sites are hooked on the whole "sign in" thing. As for "not sure why they require email addresses", if you put on your techie hat, content they show to a logged in user gets marked with a different profile than a Noel Coward. Hulu is a lead example of this, hiding some "mature" shows behind the login wall. They also tweak the ad spread with it.

        I'm dreading having to use a password manager to manage my 3-off visits all over the web.

        • by alvinrod (889928)
          Doesn't really change the fact that you should never provide these people with your real email address. Hulu obtaining your email address in no way proves that you're over 18 and anyone under 18 is most likely sophisticated enough to lie about their age if they want to see a nipple or hear some foul language. So if one needs to sign in because there's some type of wall for unauthenticated users, I don't see how that precludes the use of throwaway email accounts.

          I can't see a good reason to give out your
          • Worst of all, you need to sign in to Youtube now to tweak your resolution settings. Why is this a big deal? Because nowadays, by default, if you switch to full-screen mode Youtube reloads the video in a higher resolution, which is a big fucking problem if you don't have a blazing fast, uncapped connection. In fact I'd say this behavior could only be considered acceptable if you have a true-unlimited fiber connection. If you're unlucky enough to live somewhere with bandwidth even poorer than North America, i

          • I've recovered my password probably 5 times now. I'd have had to remake the account 5 times.

        • I'm dreading having to use a password manager to manage my 3-off visits all over the web.

          If you use throw-away email addresses that are derived from the site's address then you can use the same password at all sites and all you have to remember is the algorithm that converts the site's address into the throw-away email address.

      • Re:Further Lessons (Score:4, Interesting)

        by dwarfsoft (461760) on Sunday December 12, 2010 @08:00PM (#34531088) Homepage

        One benefit of having a domain is having forward all for %.com@domain.com. That way you can see which sites got compromised or which accounts got onsold. They can be easily blocked too.

        Still, I do prefer using throwaway email accounts, or not signing up if the content is readily available without registering.

        • by Kjella (173770)

          Yahoo has got a fairly nice feature where you get up to 500 mail aliases. That way you know exactly what site is selling your address and as a bonus you can have it autosort to folders. On top of that, you have the best unsubscription method possible, you simply delete the alias and all their mail will bounce. It probably doesn't hurt to send a "fuck you too" email with the alias saying you know what they did either. I really wish I had discovered it sooner, because my personal address was already a bit spa

        • by whoever57 (658626)
          "Plus addressing" works with gmail, giving any gmail subscriber unlimited aliases. Unfortunately, quite a lot of sites won't accept addresses with "+" in them.
      • by PopeRatzo (965947) * on Sunday December 12, 2010 @09:35PM (#34531412) Homepage Journal

        Not sure why anyone would register with any of the Gawker sites

        Actually, this makes me think this "Gnosis" group might have done us a favor by releasing the names of Gawker readers.

        If aliens should attack the Earth looking to harvest DNA, we now have a list of people that won't be missed.

      • Not sure why anyone would register with any of the Gawker sites

        Sometimes I get tired of the rampant optimism on slashdot.

    • Now my email address is going to get spammed . . . .

      "Now"?

    • Re:Goodwill? (Score:5, Insightful)

      by LighterShadeOfBlack (1011407) on Sunday December 12, 2010 @07:21PM (#34530912) Homepage

      He's not calling what the hackers did 'goodwill', he's saying they shouldn't allow a situation to come about where the goodwill (or lack thereof) is the difference between an e-mail advising of the vulnerability and... well... this. In other words he's taking responsibility for the vulnerability in their systems instead of trying to say that it's all the evil hackers fault for exploiting it. A refreshing change from the usual response to this kind of thing.

    • Re:Goodwill? (Score:4, Interesting)

      by the phantom (107624) on Sunday December 12, 2010 @07:26PM (#34530936) Homepage
      Parse that last sentence again. Gawker had at least one vulnerability that they did not know about. One or more black hats found that vulnerability, and exploited it. In the same situation, white hats would have found the vulnerability and reported it. They were relying on the goodwill of white hats to report errors, rather than being more proactive themselves, and got pwned. This is, they say, embarrassing, and a situation that they should not have been in.
      • by Lazy Jones (8403)

        Gawker had at least one vulnerability that they did not know about. One or more black hats found that vulnerability, and exploited it.

        I wouldn't exclude the possibility of someone working for them giving away passwords or being responsible him-/herself for the breach. It happens more often than people might think.

      • by makomk (752139)

        Not just that, but they were claiming they hadn't been hacked pretty much up until the release of the lists of passwords. They were relying on the goodwill of the hackers to be able to pretend their site hadn't been hacked and their users' details were secure when it had and they weren't.

    • I use VERP on most of of the forced registration systems. Unless the spammers strip VERP stuff out, I'll know exactly which spammers got my address from Gawker's network. Not that it'll do much good except satisfy some curiosity...

      The other side effect is that your account is a little harder to break into, in cases where the login ID is an email address. Obviously not the case here (username works fine too.)

      What should be awesome: we'll get to see how many Gawker commentators are astroturfing. That shou

    • by cgenman (325138)

      Yes. It's a good thing that no e-mail address has been spammed before this happened. And a tragedy that our perfectly shiny inboxes will be lost forever to these hackers.

  • by RagingMaxx (793220) on Sunday December 12, 2010 @07:05PM (#34530834) Homepage
    ... on their iPhone 4, which for some reason they appear to have left at the bar...
  • by noidentity (188756) on Sunday December 12, 2010 @07:13PM (#34530870)
    ...and instead use Facebook to protect my privacy. Wait, why are you laughing?
  • The torrent file... (Score:5, Informative)

    by Anonymous Coward on Sunday December 12, 2010 @07:15PM (#34530882)
    • by zonker (1158) on Sunday December 12, 2010 @08:10PM (#34531118) Homepage Journal

      Someone uploaded the database to Google's Fusiontable's for you to search for your info against:

      http://www.google.com/fusiontables/DataSource?dsrcid=350662 [google.com]

      Instructions for use:

      1. Get the MD5 of your email address (lowercase)
      - Online: http://pajhome.org.uk/crypt/md5/ [pajhome.org.uk]
      - Shell: $ echo -n mylowercase@email.com|md5sum
      2. Search for the hash (via Show Options)
      3. Change your password

      By the way for Mac users like me that command won't work. Try md5 -r instead of md5sum

  • I used to have one password for all. Yeah, great idea huh. Then it became, 1 password for the important stuff, and 1 for the throwaways. Later on it was 1 for the really useless crap that I wouldn't care if they got hacked, 1 for the semi-important stuff, 1 for things I want to have secured, and 2 more levels, the last one being for "e-mails and personal profile use" (i.e. Facebook, oh nooo!).

    So now I have 5 passwords (well, plus a few single-site ones for e.g. my bank), but I use them inconsistently. Slash

    • by PReDiToR (687141) on Monday December 13, 2010 @04:54AM (#34532620) Homepage Journal
      https://addons.mozilla.org/en-US/firefox/addon/3282/ [mozilla.org]

      Think up a new password. Just one.
      Pass = "PcbEn!"
      The mnemonic for that password is "Passwords Can Be Easy Now!"

      Now use that one simple password to create stupidly complex passwords for the sites you visit by using Password Hasher.

      Every site you go to will have it's own unique mix of 26 upper, lower, numbers, symbols (if it supports it) that can be easily recreated in seconds without ever being written down or stored electronically.

      All you have to remember is that passwords can be easy now.

      Example password for Slashdot using this example is "nRP2zGk56sYN8IMUyFR/XpIx45" which is out of the brute force range this year and probably next year too.
  • by rweir (96112)

    and by "encrypted" do they mean "we're idiots and stored something other than a salt + hash of the passwords"?

    • and by "encrypted" do they mean "we're idiots and stored something other than a salt + hash of the passwords"?

      They used crypt() [die.net], which means it's going to be relatively easy to crack everything in the file even if the users' passwords were strong. Why anyone would use crypt() for password hashing is beyond me.

    • by Ant P. (974313)

      Given the contempt they apparently hold for their own users [mediaite.com], I don't think they're concerned all that much with protecting those users' data in the first place.

    • string EncryptPassword(char * plaintext)
      { // TODO: Implement real encryption before deployment
              return rot13(plaintext);
      }

  • by The Moof (859402) on Sunday December 12, 2010 @07:41PM (#34531008)
    I find that message from Gawker amusing because they don't even secure their login form with SSL. They're concerned about the database getting stolen with unreadable passwords that might be cracked with enough time, but they turn a blind eye to the fact that authentication information is sent in the clear from the form...
  • They should provide a fast one stop cgi that their users can do go that will perform these steps, not 'visit our sites and figure shit out'.

    Annoying.

  • by yuhong (1378501) <(yuhongbao_386) (at) (hotmail.com)> on Sunday December 12, 2010 @08:20PM (#34531142) Homepage

    From http://pastebin.com/9rRmf6W5 [pastebin.com]:
    "Gawker uses a really outdated hashing algorithm known as DES (Data Encryption Standard).
    Because DES has a maximum of 8chars using a password like "abcdefgh1234" only the
    first 8 characters "abcdefgh" are encrypted and stored in the database. If your
    password is longer than 8 characters you only need to enter the first 8 characters
    to log in! "
    The LM hash generated two hashes using DES from two 7 byte parts of a 14 byte password.
    Basically they use each individual 7 byte part as a DES key to encrypt a fixed string.
    Repeat this twice for each 7 byte part, and concatenate the results, and you get the LM hash.

  • Mailinator was made for sites like this.

  • After looking through the package released through BitTorrent, not everybody's password has been compromised. Gawker does appear to store passwords in an encrypted form and only particularly weak passwords have been cracked. My username, for instance, does appear in their raw DB dump (with an encrypted form of my password) but not in a separate file which lists the passwords they were able to crack. I have a fairly strong password and I believe that's why. Real examples of passwords weak enough to be cr

  • by SuperBanana (662181) on Sunday December 12, 2010 @08:36PM (#34531184)
    The real value here is that we'll get to see who has been astroturfing one of the "most popular" blog networks...and dumb enough to use obvious personal or work email addresses. In fact, it wouldn't surprise me if Gawker copywriters were 'turfing their own stories too, given how much emphasis Gawker places on story viewcounts.
    • Not sure how you're going to tell people who are astroturfing from people who are genuinely commenting (maybe even avoiding stories which are a conflict of interest), but the fusion table posted earlier [google.com] has the domain part of the address in the clear.

      = microsoft.com: 107 (you can get the exact count by clicking on "many")
      = google.com: 118
      contains samsung.: 4x samsung.com + 4x others
      = gizmodo.com: 73 (?)
      = gawker.com: 160
      = youstuckupgawkerpeopele.com: 1 :P

      I don't read the site so I don't know what other domai

  • EasyDNS (Score:4, Insightful)

    by Tridus (79566) on Sunday December 12, 2010 @09:07PM (#34531322) Homepage

    It's nice to see a bit of karmic justice after Gawker falsely accused EasyDNS of cutting off Wikileaks (it was EveryDNS), then acted like jackasses when called on it.

    http://blogs.villagevoice.com/runninscared/2010/12/gawker_refuses.php [villagevoice.com]

    • Re:EasyDNS (Score:5, Informative)

      by cyclocommuter (762131) on Sunday December 12, 2010 @09:27PM (#34531386)
      Not only that, Gawker seems to have an ongoing battle with Wikileaks, Assange, and anon via posts like this [gawker.com] and this [gawker.com]. They also appear to be taunting anon to hit them if they can... looks like they got what they wished for although as the saying goes, any publicity is good publicity... especially for the Gawker media empire.
    • Really? So, the 1.5 million victims in all of this can go to hell along with Gawker?

      I guess the words "measured response" don't really mean anything to you ...

    • by lanner (107308)

      I have to agree with the "jackasses" comment being well deserved. They falsely accused someone of wrong, tried to quietly correct it, then insult anyone who called them out on their mistake, including those who they wronged.

      Being wrong is one thing, but how they handled it turned the editors into "jackasses".

  • by Ex Machina (10710)

    Anyone have any experience changing all their low priority passwords at once? Thoughts?

    • by Scorpinox (479613) on Sunday December 12, 2010 @09:57PM (#34531504)

      I took this as a sign to change all my passwords. It's been a pain in the ass honestly, and provided a nice overview of who is is good at letting you change passwords and who sucks. ICQ so far is by far the worst, you can't change it through their website, so you have to download their client, plus they don't allow special characters. Ebay's was really hard to find where to change it as well.

      I just went through my bookmarks, starting with the imporant stuff and working my way down. Unfortunately, there are surely some sites i've forgotten. I'll have to change them as they come up, but are mostly throwaway accounts anyway.

      • by Radish03 (248960)

        A few weeks ago I had my (2 years inactive) WoW account get owned and banned, possibly through my email account, so that was a major sign to sort out and properly tier all my passwords. I found firefox's list of saved passwords to be particularly helpful as a checklist of sites to change, as well as a reminder of how stupid I had been using my "good" password on far too many low priority sites in the past. Also a strong reason against having one "good" password.

        Thanks to your post, however, I am also remi

<< WAIT >>

Working...