Gawker Hack: Hacked Database Compromises User Data

12/12/10 10:08 PM ET Associated Press

React

share this story

Get Technology Alerts

Submit this story

NEW YORK — Gawker Media Inc. is urging subscribers to change their passwords because someone has managed to hack into the company's user database.

The company, which runs a series of irreverent blogs on media, technology and other issues, said in a posting on its website Sunday that the commenting passwords used on the sites were encrypted, but simple ones could be vulnerable to attacks by hackers' computers.

The company also said passwords on other sites should be changed if they were the same as the ones stored by Gawker Media.

"We're deeply embarrassed by this breach," the posting on gawker.com said. "We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems."

Millions of people are likely affected by the breach because of the popularity of Gawker's sites such as Gizmodo, a tech gadget news site, said Rich Mogull, CEO of Phoenix-based Securosis, a security research firm.

The damage should be minimal, though, because Gawker probably stored only e-mails, user names and passwords, Mogull said. The problem comes if people use the same passwords on other sites, such as online banking. The hackers likely were able to figure out easy passwords even though they were protected on the Gawker site by a simple algorithm, and could use them to access bank accounts, Mogull said.

The hackers could be upset about something written on one of Gawker's sites, or they could be doing it for bragging rights, Mogull said.

"It's kind of a juvenile thing. It's like spray-painting," he said.

Such attacks are very common and difficult to stop, as long as the hackers have enough time to try to breach the system, he said. "If someone is determined and knowledgeable, you can't keep them out," he said.

The attacks probably are unrelated to recent cyberspace attacks over the WikiLeaks site's release of classified government documents, but Gawker could have angered some of the same people, Mogull said.

Last week, the Visa and MasterCard sites were inaccessible for a short time likely because of attacks by supporters of WikiLeaks. Supporters were angry that the credit card companies had stopped processing donations to WikiLeaks.

Both MasterCard and Visa said that cardholders' accounts were not at risk and that people could continue using their credit cards.

Supporters of WikiLeaks, which has released thousands of classified government documents in recent weeks, said they would attack companies and groups hostile to the site and its founder. An Internet group operating under the label "Operation Payback" claimed responsibility for the MasterCard and Visa problems in messages on Twitter and elsewhere.

Messages were left Sunday night for Gawker chief Nick Denton.

Gawker's Gizmodo tech blog gained fame in May when it posted pictures of an iPhone prototype. The phone was lost by an Apple Inc. engineer in a Silicon Valley bar.

FOLLOW HUFFPOST TECH

Facebook:

73k

Twitter:

Get Alerts

CONTRIBUTE

TO THIS STORY

Comments
69
Pending Comments
0
View FAQ

Comments are closed for this entry

View All

Favorites

Recency |

Popularity

Page: 1 2 3 Next › Last » (3 total)

JBS

Part time misanthrope & full time curmudgeon

476 Fans

04:09 AM on 12/24/2010

I have received emails telling me my "Gawker account" is compromised.

Is there anywhere I can find out what information about my user name and passwords has been lost. I have hundreds of online accounts, and would prefer not to have to change passwords on every one of them because I don't know what password has been compromised.

Permalink | Share it

11:06 PM on 12/26/2010

Followup: As it turns out the only way to find out what information about you is in the hacked database is to install torrent software and download the hacked database for yourself. Inside are a number of text files.

The file you need is full_db.txt

From that file I learned that Gawker does not verify the email addresses provided by registrants. Gawker allowed some person identifying themselves by the user name: AloysiusGadison to create a user account linked to my email address.

I am not AloysiusGadison. I have never been AloysiusGadison.

Neither AloysiusGadison nor Gawker Media have ever had my permission to use my email address.

Gawker did not verify the user's right to use my email address.

Gawker Media's negligence has caused me grievous harm and considerable inconvenience.

HUFFPOST SUPER USER

SPQR1052

3100 Fans

05:18 AM on 12/15/2010

Gawker is another rag tabloid, point. Who cares?

karots

I make dreams happen, for rabbits.

283 Fans

05:53 PM on 12/13/2010

Gawker claimed "Anonymous" were all script kiddies ("hackers" using preset tools to do the hacking for them, while not knowing anything about the program itself or nearly nothing)

They then got hacked, bigtime, by people that got slightly annoyed at being called script kiddies. This was a response to Gawker taunting the group continuously, and declaring themselves to be better. Look what that got them.
They did a lot more than just steal 1.3 million user accounts they stirred the pot more, but they are not admitting to that as it would make them look rather silly and from a business standpoint it would be a terrible idea.

So what do we learn from this? Telling "the internet" that they suck is a bad way to start off the day.

09:35 PM on 12/13/2010

And to avoid more confusion, I know very well that chanonymous are mostly script kiddies, but obviously not all of them.

Bjarni

48 Fans

04:06 PM on 12/13/2010

This has nothing directly to do with the Cyber Attacks last week

"Gawker Hacker Gnosis Explains Method and Reasoning actions"
http://www.mediaite.com/online/exclusive-gawker-hacker-gnosis-explains-method-and-reasoning-behind-his-actions/

http://www.wired.com/threatlevel/2010/12/gawker-hacked/

Ian Jelinek

0 Fans

01:47 PM on 12/13/2010

This is a joke, and actually an irresponsible article from a security standpoint. I totally disagree with this Mogull person that "If someone is determined and knowledgeable, you can't keep them out". What utter nonsense. Gaining administrative access (hacking) to a system is only possible if that system is insecure or people with admin access are using bad passwords. So you CAN keep people out IF there is any understanding of basic security. Anything public-facing needs strong admin passwords. HuffPo should not be taking this guy's word blindly on the topic.
I agree with all ohter commenters that if you use the same easy password on most sites, you're asking for trouble. FYI everyone, a sentence like "Gawker should be ashamed." (without quotes and yes, with spaces) makes a great, strong password..., if the system will let you. SOme are sadly out-dated.

woosh7

12:24 AM on 01/08/2011

up until a new exploit is discovered.. and then...

Derek7467

12:58 PM on 12/13/2010

You know whats funny? Bruce Scheiner said on a interview that the group anonymous werent really hackers and only did a low level non talented DDOS attack on mastercard, visa...etc (DDOS didnt really take place technically, technically speaking DDOS invovles zombie computers controlled by a central location, not computers controlled by a individuals who simultaneously flood the sites with traffic!). Anyways, what deems a hacker a hacker?

Security in my mind has never been held to the importance level that it should be held at and this breach is a perfect example! I mean how in the world can a website who uses a CMS system use simple encryption on their username database system? Furthermore, there web server must not have had top notch level security applied to it. I use better encryption on my personal laptop than Gawkers use on their database system for a site accessed by millions of users?

Does this security flaw deem the perpetrators hackers? No, it shows how easy it was for them to move around an insecure system.

Fred Hood

United we win divided we lose

2057 Fans

10:54 AM on 12/13/2010

this problem will be going on for another hundred years......we need to stay out of it.....I have no allegiance to any of these people based on some book everyone wants to fight for but no one follows

DonMadrid1500

461 Fans

10:28 AM on 12/13/2010

Hide ya wife hide ya kids...

HUFFPOST COMMUNITY MODERATOR

J0E1

Don't blame me, I'm not a republicrat.

1289 Fans

Someone managed to get into my email for the first time since I started using the internet back in the 9600bps modem era. Sure enough, since my username was the same for my email and one of my credit cards, the same day they got into my email, they locked me out of my credit card account while trying the same password. They WILL go after any financial institutions sites so change your password immediately if its the same for your email or any other important site.

jws2346

729 Fans

10:22 AM on 12/13/2010

Yup, it's not a new ideer, but changing passwords on a regular basis negates many problems. it also has a limited effect on key logging viruses.

JamesB7

5 Fans

02:29 PM on 12/13/2010

Hmm, I can't really agree... Unless one of your account passwords has been stolen by somebody, changing the password accomplishes nothing at all. If you suspect that's the case you ought to be changing all of your passwords.

10:32 AM on 12/14/2010

Say'ed like a true hacker smacker

eileenflemingWAWA

http://www.wearewideawake.org/

759 Fans

09:40 AM on 12/13/2010

WikiLeaks: The Documentary

Email forwarded from National Catholic Workers* List Serve:

See this amazing and powerful video about Wikileaks and Julian Assange. It tells the story of this very courageous person and people working to nonviolently speak truth to Power and get the truth to the people of the world...

http://www.wearewideawake.org/index.php?option=com_content&task=view&id=1914&Itemid=240

01:02 PM on 12/13/2010

speak the truth? you mean endanger lives, foreign and domestic?

tresluv

1529 Fans

06:22 PM on 12/13/2010

Safety based on lies to the public about how our government functions, or truth to open people's eyes to corruption and possibly move us to push for changes in a system we didn't knowingly buy into?
hmmmm ....

politisophical

39 Fans

01:54 AM on 12/14/2010

then you better get the government to shut down The New York Times, and a dozen other newspapers.. because they print EVERYTHING that wikileaks releases.. they did not steal the material, they are a new organization that scooped our useless news organizations..

look into the pentagon papers.. they had the same effect and accusations

Kay Rodrigues

1 Fans

02:30 PM on 12/13/2010

Thank you for the link. I just spent a productive 57 minutes.

brownfrown

Political Fundip

301 Fans

09:20 AM on 12/13/2010

Good luck to all the people who use the same password for every website. The hackers WILL try to log into your emails, and search through them for any personal info they can get.

joseph449008

72 Fans

07:22 AM on 12/13/2010

"they should be deeply embarased to be keeping plaintext versions of user passwords.. why oh why would they do that?"

It doesn't sound like they did that. They probably stored them as MD5 hashes (a common non-reversible "encryption".) However, one could just run a dictionary attack on the MD5 hashes and find passwords that are dictionary words.

11:16 PM on 12/26/2010

Gawker used DES, not MD5

This user has chosen to opt out of the Badges program

moutonnoir

iconoclastic demagoguery

2156 Fans

05:48 AM on 12/13/2010

they should be deeply embarased to be keeping plaintext versions of user passwords.. why oh why would they do that?

it is irresponsible at best: with dark undertones as soon as you go into reasons a person\organization would setup such a system to keep actual passwords instead of hashes..