Gawker Source Code and Databases Compromised 207
An anonymous reader writes "Passwords and personal data for 1.3 million Gawker Media readers — this includes readers of sites like Gizmodo, Lifehacker, Kotaku, and io9 — have been released as a BitTorrent by a group of hackers called Gnosis, who also managed to gain access to both the Gawker CMS and Gizmodo's Twitter account. Gawker confirms and urges readers to change their passwords: 'Our user databases do indeed appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change the password on Gawker (GED/commenting system) and on any other sites on which you've used the same passwords. Out of an abundance of caution, you should also change your company email password and any passwords that may have appeared in your email messages. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems.'"
Re:Goodwill? (Score:4, Interesting)
In the spirit of WikiLeaks. (Score:1, Interesting)
Leaks of information are good.
Re:Further Lessons (Score:4, Interesting)
One benefit of having a domain is having forward all for %.com@domain.com. That way you can see which sites got compromised or which accounts got onsold. They can be easily blocked too.
Still, I do prefer using throwaway email accounts, or not signing up if the content is readily available without registering.
the true gem here: ID'ing astroturfers (Score:5, Interesting)
Re:The torrent file... (Score:3, Interesting)
It's a pretty good textboox example of how NOT to secure a website (not to mention a major one). I checked out the README, and it's rather embarrassing. Trivial leetspeak for root passwords, publicly accessible MySQL servers, stuff running Linux 2.6.18 compiled back in 2007 (there have been multiple local root exploits since then), ridiculously insecure passwords for admin accounts, people using the same password everywhere... They also appear to be using ancient DES crypt() for their website user passwords (that means only the first 8 characters of user/commenter passwords on the site matter). Really, it's no surprise that they were broken into through every possible orifice and then some. That's not counting the failure to react when they noticed something was off (which they did) before it was way too late.
Re:Throwaway Email (Score:4, Interesting)
I now use mailinator for all my throwaway registrations, then if I care in the least I change the password just in case someone else reads from the same random email name that I did.
I put common e-mails @mailinator into the "forgot password" field when i need a login.
It works more often than not.
Re:I've lost track of my passwords... (Score:4, Interesting)
Think up a new password. Just one.
Pass = "PcbEn!"
The mnemonic for that password is "Passwords Can Be Easy Now!"
Now use that one simple password to create stupidly complex passwords for the sites you visit by using Password Hasher.
Every site you go to will have it's own unique mix of 26 upper, lower, numbers, symbols (if it supports it) that can be easily recreated in seconds without ever being written down or stored electronically.
All you have to remember is that passwords can be easy now.
Example password for Slashdot using this example is "nRP2zGk56sYN8IMUyFR/XpIx45" which is out of the brute force range this year and probably next year too.