Gawker Source Code and Databases Compromised

An anonymous reader writes "Passwords and personal data for 1.3 million Gawker Media readers — this includes readers of sites like Gizmodo, Lifehacker, Kotaku, and io9 — have been released as a BitTorrent by a group of hackers called Gnosis, who also managed to gain access to both the Gawker CMS and Gizmodo's Twitter account. Gawker confirms and urges readers to change their passwords: 'Our user databases do indeed appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change the password on Gawker (GED/commenting system) and on any other sites on which you've used the same passwords. Out of an abundance of caution, you should also change your company email password and any passwords that may have appeared in your email messages. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems.'"

The torrent file...

[Anonymous Coward]

http://thepiratebay.org/torrent/6034669 [thepiratebay.org]

Re:The torrent file...

[zonker]

Someone uploaded the database to Google's Fusiontable's for you to search for your info against:

http://www.google.com/fusiontables/DataSource?dsrcid=350662 [google.com]

Instructions for use:

1. Get the MD5 of your email address (lowercase)
- Online: http://pajhome.org.uk/crypt/md5/ [pajhome.org.uk]
- Shell: $ echo -n mylowercase@email.com|md5sum
2. Search for the hash (via Show Options)
3. Change your password

By the way for Mac users like me that command won't work. Try md5 -r instead of md5sum

Reminds me of the LM hash

[yuhong]

From http://pastebin.com/9rRmf6W5 [pastebin.com]:
"Gawker uses a really outdated hashing algorithm known as DES (Data Encryption Standard).
Because DES has a maximum of 8chars using a password like "abcdefgh1234" only the
first 8 characters "abcdefgh" are encrypted and stored in the database. If your
password is longer than 8 characters you only need to enter the first 8 characters
to log in! "
The LM hash generated two hashes using DES from two 7 byte parts of a 14 byte password.
Basically they use each individual 7 byte part as a DES key to encrypt a fixed string.
Repeat this twice for each 7 byte part, and concatenate the results, and you get the LM hash.

Re:Encrypted? Hashed?

[Anonymous Coward]

The salt just complicates the rainbowtable lookup method. It's not supposed to be super secret. It makes every password require a expensive brute force lookup rather than a O(1) operation.

Re:EasyDNS

[cyclocommuter]

Not only that, Gawker seems to have an ongoing battle with Wikileaks, Assange, and anon via posts like this [gawker.com] and this [gawker.com]. They also appear to be taunting anon to hit them if they can... looks like they got what they wished for although as the saying goes, any publicity is good publicity... especially for the Gawker media empire.