Today, Lifehacker and Gawker confirmed the rumors that have been circulating since Saturday afternoon: a hacker group known as Gnosis has breached Gawker’s servers, harvesting over 200,000 usernames, emails and passwords along with, according to the torrent file posted on PirateBay “an additional million or so easily decryptable” usernames and passwords. Lifehacker and the rest of the Gawker blogs, which includes Fleshbot, Jezebel, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin and io9, have responded in classy fashion, posting a comprehensive, frank and measured response to the security breach. You can read all about the fate of your commenter account and which actions you should take in the Lifehacker compromised commenting account FAQ. Long story short, if you have ever registered at a Gawker site or commented on a Gawker site, you should change your password now. And not just your Lifehacker account password, but any account that also uses the same credentials (which is bad form, by the way). If you logged into a Gawker blog using Facebook Connect or your Twitter account, your credentials should be safe, according to Gawker. However, a rash of hijacked Twitter accounts tweeting about Acai berry hint towards the contrary (though this is perhaps due to users having the same login and password for Lifehacker as their Twitter account).
If you’re tweaked that this is the first you’re hearing about the Lifehacker data compromise, rest assured that the Gawker tech team is on it, and are currently resetting passwords and contacting affected users. So, if you haven’t heard from Gawker yet, you will soon.
As for why Gawker was hacked, it appears that there has been a longstanding feud between Gawker and Gnosis and their ilk. In the torrent file description Gnosis taunts Gawker, saying:
Previous attacks against the target were mocked, so we came along and raised the bar a little.F### you gawker, hows this for “script kids”? Your empire has been compromised, Your servers, Your database’s, Online accounts and sourcecode have all be ripped to shreds!You wanted attention, well guess what, You’ve got it now!
The script kids reference is likely an allusion to Gawker’s comments when a group of 4chan members attempted to bring Gawker down after the blog demonized the group for launching a concerted campaign of harassment on an 11-year old YouTube member. A Gawker blogger wrote of their attempts:
Harassment and hack attacks: What a very effective way for the script kiddies hanging around /b/ today to prove they are not “summerf###,” as senior 4chan members call them, but effective and persuasive humans who will inevitably win critics and the rest of the world over to their side. Dorks. We’re demoting you to 3chan for the rest of the summer.
Gnosis, however, claims no connection to 4chan or Anonymous, the group that most recently waged war against MasterCard, PayPal and Visa.
At any rate, this is a fair amount of drama—unfortunately, many of us readers have been caught in the collateral damage. If anything, this should serve as a stirring reminder to always keep strong passwords, never use a universal “master” password across accounts and to be sure to change your password periodically, in case one of these data breaches goes unnoticed. If this seems like a hassle to you, then we recommend checking out a password manager, such as LastPass, which we covered earlier in our Google Chrome Extensions Power List.
Also, if you are curious as to whether your email was included in the database, but don’t want to tangle with any fishy business by downloading the torrent yourself, you can run your email address through a widget put together by Slate. Personally, my email didn’t come back as compromised—but I’m still going to be changing all of my passwords, just in case my email was included among those “million or so” easily decryptable passwords,
which don’t appear to be included in Slate’s database. Update: it appears that Slate’s widget does include your email, even if your password is included in encrypted form.
Update: A couple reports of people getting suspicious emails re: their Gawker accounts. Probably phishing attempts, since the release included emails as well. PLEASE BEWARE OF THIS. Do not visit any links from anyone claiming to be from Gawker or one of their blogs. Instead, visit their site directly and change your password there. There are links all over the place on their front page, you can’t miss it.
Update: Upon receipt of an email notification from Gawker, it appears that I am actually in trouble, since I signed up for a Gawker account years ago with an old email address. So, that got me thinking: what else have I signed up for years ago with that same email and password that I may have forgotten about? So, in order to jog my memory, and yours, I’m going to create a massive list of online service that you may have signed up for in the past. Please add to this list if you can.
- Windows Live
- Yahoo! Mail
- Windows Live Mail
- Microsoft Exchange
- Zoho Mail
- AIM Mail
- GMX Mail
(usually have multiple layers of security, but just in case…)
- U.S. Bank
- Fifth Third
- Huntington National
- Bank of the West
- Charles Schwab
- ING Direct
- Allied Bank
- Bank of America
- Wells Fargo
- Capital One
- TD Ameritrade
- Other self-hosted blogs
- WordPress.org (did you check ALL your self-hosted blogs?)
- Key Systems
- A Small Orange
- Kodak EasyShare
- Care to Connect
- AOL Instant Messenger
- Windows Live Messenger
- Google Chat
- Zoho Meeting
- Constant Contact
- Words with Friends
- Crystal (i.e. Angrybirds)
Phew. That’s barely scratching the surface, I know. But it just goes to show that we sign up for an inordinate amount of services. Please contribute to this list—especially the obvious ones I missed.