Gawker Source Code and Databases Compromised 207
An anonymous reader writes "Passwords and personal data for 1.3 million Gawker Media readers — this includes readers of sites like Gizmodo, Lifehacker, Kotaku, and io9 — have been released as a BitTorrent by a group of hackers called Gnosis, who also managed to gain access to both the Gawker CMS and Gizmodo's Twitter account. Gawker confirms and urges readers to change their passwords: 'Our user databases do indeed appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change the password on Gawker (GED/commenting system) and on any other sites on which you've used the same passwords. Out of an abundance of caution, you should also change your company email password and any passwords that may have appeared in your email messages. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems.'"
The torrent file... (Score:5, Informative)
Re:The torrent file... (Score:5, Informative)
Someone uploaded the database to Google's Fusiontable's for you to search for your info against:
http://www.google.com/fusiontables/DataSource?dsrcid=350662 [google.com]
Instructions for use:
1. Get the MD5 of your email address (lowercase)
- Online: http://pajhome.org.uk/crypt/md5/ [pajhome.org.uk]
- Shell: $ echo -n mylowercase@email.com|md5sum
2. Search for the hash (via Show Options)
3. Change your password
By the way for Mac users like me that command won't work. Try md5 -r instead of md5sum
Reminds me of the LM hash (Score:5, Informative)
From http://pastebin.com/9rRmf6W5 [pastebin.com]:
"Gawker uses a really outdated hashing algorithm known as DES (Data Encryption Standard).
Because DES has a maximum of 8chars using a password like "abcdefgh1234" only the
first 8 characters "abcdefgh" are encrypted and stored in the database. If your
password is longer than 8 characters you only need to enter the first 8 characters
to log in! "
The LM hash generated two hashes using DES from two 7 byte parts of a 14 byte password.
Basically they use each individual 7 byte part as a DES key to encrypt a fixed string.
Repeat this twice for each 7 byte part, and concatenate the results, and you get the LM hash.
Re:Encrypted? Hashed? (Score:2, Informative)
The salt just complicates the rainbowtable lookup method. It's not supposed to be super secret. It makes every password require a expensive brute force lookup rather than a O(1) operation.
Re:EasyDNS (Score:5, Informative)