I09 Website Hacked. What does this mean to me? Computer Question

OK, quick link.

What does all this mean?

How does it effect me?

Baffled, here.

Um, from that same link:

Basically, your password may be at risk. If you don’t use the same password for any other site, no worries. If you do, change them.

What password?

I logged in using my email account, there is no password.

Did you just sign up to receive updates in your inbox without registering for an actual account? If so, you’re probably fine.

Umm…no updates.

And, I just typed in my email, no password.

I don’t know, then, sorry.

Anybody else?

Assuming you mean you are able to login into the site using only an account name (with no password) to post comments to the blog, then anyone can post under your account. Which means someone could pose to be you, write something not supported by the site’s TOS and the account (meaning you) could be banned.

Ok, now I’m curious… how is it you’re able to log in with just an email account? Where is this happening (as in the page URL) and what happens if you sign out and try to log back in?

Hi Bosda.

Do you login to the site using the ‘login’ link at the top? Or, do you use the site’s comment feature which, after you type in your comments, asks you for an email address (the first part of which they use as the name on your comment), as an identifier but never asks for a password? If you use the latter option, you don’t really have an ‘account’ with them and you don’t have a password that you need to worry about changing. That function is just how they allow people who don’t hold accounts to comment easily and not be ‘anonymous’ .

I bet he’s got a “remember me” cookie stored for that site. He probably absolutely needs a password to log in. Unless he’s logging in from his usual computer where the cookie already is.

Why would it bother asking for his email address again?


And, I guess that means I’m OK.

Thank you all for your patience with me. :slight_smile:

The passwords were not just possibly compromised they were published and on writing this they were still available for download by anyone. If you use that same password elsewhere, you should change it now. You may find someone has changed it already and is using it. This was done with some twitter accounts which are now being used to spam about berries.

Since the passwords were published, it is not just the intent of the original thieves you need worry about. Anyone can find it and use it. If you had paypal, ebay, or shopping accounts with that same password, anyone can get into them and cause you direct financial impact. If your main email account has the same password, they could use that to compromise other accounts you hold and sign you up for who knows what.

In my opinion, storing customer passwords in plain text is reckless.

My account was one of the ones “compromised”. While I don’t believe anyone gained access to any of my other accounts as a result (they had my usual “low-security” password, which means they can now read the New York Times as if they were me, and various other sites where the only access gained is reading something I didn’t pay for or maybe posting comments somewhere), Google, Facebook, LinkedIn, and Twitter all took protective action against my accounts, forcing me to reactivate them and change the passwords even when they weren’t necessarily the same as the password leaked.

It turns out that Gawker stored passwords not in cleartext but encrypted with a single round of DES, which is about as hard to crack with modern equipment as rot13. Gawker has no security officer and apparently liked to play chicken with 4chan, once declaring that they were “invulnerable”. Do not taunt happy fun ball.

Gawker may well be dead now: the hackers, in addition to stealing nearly all their proprietary data, also badly damaged their infrastructure on the way out. They really can’t go back in full operation until they complete a full security sweep (after all, the hackers almost certainly left backdoors and trapdoors), and (as noted) they don’t have anyone with the necessary security experience. Forbes has a good discussion on their blog.