I09 Website Hacked. What does this mean to me? Computer Question

[Bosda_Di_Chi_of_Tricor]

OK, quick link.

FAQ: Compromised Commenting Accounts on Gawker Media

This weekend we discovered that Gawker Media’s servers were compromised, resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. If you’re a commenter on any of our sites, you probably have several questions.

We understand how important trust is on the internet, and we’re deeply sorry for and embarrassed about this breach of security—and of trust. We’re working around the clock to ensure our security (and our commenters’ account security) moving forward. We’re also committed to communicating openly and frequently with you to make sure you understand what has happened, how it may or may not affect you, and and what we’re doing to fix things.

What does all this mean?

How does it effect me?

Baffled, here.

[Reply]

Um, from that same link:

1. How do I know if my password was hacked?
   If you’ve registered an account on any Gawker Media web site (that includes Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, io9, or Fleshbot), and you didn’t log in using Facebook Connect, then it’s best to assume that your username and password were included among the leaked data.

Passwords in our database are encrypted (i.e., not stored in plain text), but they’re still vulnerable to hackers. You should immediately change the password on your account, and if you used that password on any other web site, you should change your passwords on all of those accounts as well.

Additionally, the folks at Slate put together this simple widget you can use to check if your email address was associated with a hacked account.

4. Should I be concerned about my other online accounts? What if I used that password on other sites?
   If you used your Gawker Media password on any other web site, you should change the password on those sites as well, particularly if you used the same username or email with that site. To be safe, however, you should change the password on those accounts whether or not you were using the same username. We’ve put together a guide to help you audit and change your passwords.

Basically, your password may be at risk. If you don’t use the same password for any other site, no worries. If you do, change them.

[Bosda_Di_Chi_of_Tricor]

What password?

I logged in using my email account, there is no password.

[Reply]

Did you just sign up to receive updates in your inbox without registering for an actual account? If so, you’re probably fine.

[Bosda_Di_Chi_of_Tricor]

Reply:

Did you just sign up to receive updates in your inbox without registering for an actual account? If so, you’re probably fine.

Umm…no updates.

And, I just typed in my email, no password.

[Reply]

I don’t know, then, sorry.

[Bosda_Di_Chi_of_Tricor]

Anybody else?

[Duckster]

Assuming you mean you are able to login into the site using only an account name (with no password) to post comments to the blog, then anyone can post under your account. Which means someone could pose to be you, write something not supported by the site’s TOS and the account (meaning you) could be banned.

[Reply]

Ok, now I’m curious… how is it you’re able to log in with just an email account? Where is this happening (as in the page URL) and what happens if you sign out and try to log back in?

[Buckler_of_Swashing]

Hi Bosda.

Do you login to the site using the ‘login’ link at the top? Or, do you use the site’s comment feature which, after you type in your comments, asks you for an email address (the first part of which they use as the name on your comment), as an identifier but never asks for a password? If you use the latter option, you don’t really have an ‘account’ with them and you don’t have a password that you need to worry about changing. That function is just how they allow people who don’t hold accounts to comment easily and not be ‘anonymous’ .

[LSLGuy]

I bet he’s got a “remember me” cookie stored for that site. He probably absolutely needs a password to log in. Unless he’s logging in from his usual computer where the cookie already is.

[Reply]

LSLGuy:

I bet he’s got a “remember me” cookie stored for that site. He probably absolutely needs a password to log in. Unless he’s logging in from his usual computer where the cookie already is.

Why would it bother asking for his email address again?

[Bosda_Di_Chi_of_Tricor]

Buckler_of_Swashing:

Hi Bosda.

Do you login to the site using the ‘login’ link at the top? Or, do you use the site’s comment feature which, after you type in your comments, asks you for an email address (the first part of which they use as the name on your comment), as an identifier but never asks for a password? If you use the latter option, you don’t really have an ‘account’ with them and you don’t have a password that you need to worry about changing. That function is just how they allow people who don’t hold accounts to comment easily and not be ‘anonymous’ .

Bingo.

And, I guess that means I’m OK.

Thank you all for your patience with me.

[lee]

The passwords were not just possibly compromised they were published and on writing this they were still available for download by anyone. If you use that same password elsewhere, you should change it now. You may find someone has changed it already and is using it. This was done with some twitter accounts which are now being used to spam about berries.

Since the passwords were published, it is not just the intent of the original thieves you need worry about. Anyone can find it and use it. If you had paypal, ebay, or shopping accounts with that same password, anyone can get into them and cause you direct financial impact. If your main email account has the same password, they could use that to compromise other accounts you hold and sign you up for who knows what.

In my opinion, storing customer passwords in plain text is reckless.

[KellyM]

My account was one of the ones “compromised”. While I don’t believe anyone gained access to any of my other accounts as a result (they had my usual “low-security” password, which means they can now read the New York Times as if they were me, and various other sites where the only access gained is reading something I didn’t pay for or maybe posting comments somewhere), Google, Facebook, LinkedIn, and Twitter all took protective action against my accounts, forcing me to reactivate them and change the passwords even when they weren’t necessarily the same as the password leaked.

It turns out that Gawker stored passwords not in cleartext but encrypted with a single round of DES, which is about as hard to crack with modern equipment as rot13. Gawker has no security officer and apparently liked to play chicken with 4chan, once declaring that they were “invulnerable”. Do not taunt happy fun ball.

Gawker may well be dead now: the hackers, in addition to stealing nearly all their proprietary data, also badly damaged their infrastructure on the way out. They really can’t go back in full operation until they complete a full security sweep (after all, the hackers almost certainly left backdoors and trapdoors), and (as noted) they don’t have anyone with the necessary security experience. Forbes has a good discussion on their blog.