Hackers have gotten a hold of the database containing usernames and passwords of roughly 1.4 million users who have posted a comment to the Gawker website or any of its popular affiliates, including lifehacker.com, gizmodo.com, jalopnik.com, jezebel.com, kotaku.com, deadspin.com and others.
They are not keeping this database to themselves either. They’ve uploaded the entire thing to the public torrent tracker thepiratebay.org, including their rough analysis of the database, plaintext credentials for a number of Gawker employees, 200,000 decrypted passwords they’ve cracked, as well as the entire 1.4 million encrypted usernames, email addresses, and encrypted passwords.
Technical details on the hack are fairly slim at the moment, but the hacking group Gnosis has claimed responsibility for it. This little tidbit was included in the upload of the database to thepiratebay.org:
“[email protected]#$ you gawker, hows this for “script kids”?
Your empire has been compromised, Your servers, Your database’s, Online accounts and source code have all be ripped to shreds!
You wanted attention, well guess what, You’ve got it now!”
It appears that Gnosis was able to guess the password of Gawker founder Nick Denton for his account on the Campfire team-collaboration portal that Gawker uses for internal communications and real-time chat amongst staff. Once Gnosis had access to this they were able to obtain a wealth of information from the reported 4 gigabytes of chat logs.
It seems that the password for the MySQL database was also disclosed somewhere in these logs. With the SQL credentials in hand, it was a trivial matter for Gnosis to dump large amounts of information, including usernames, email addresses, and encrypted passwords. Unfortunately the encryption used to protect the passwords was the ancient and deprecated Data Encryption Standard (DES) which uses a measly 56 bit encryption key. Due to this poor encryption scheme, any password over 8 characters is truncated to 8 before being stored in the database. Users with a password greater than 8 characters will not have the entire thing compromised, but access to their account will still be possible with the first 8 characters if cracked. Gnosis has cracked roughly 200,000 of the 1.4 million passwords contained in the database they dumped. All of the hashes are available for cracking by anyone who’s interested and has some spare CPU power.
A rough analysis of the passwords cracked is pretty horrifying. Some gems:
- 2000 passwords were ‘password’
- 150,000 passwords consisting of all lowercase letters
- 3000 passwords were ‘123456’
- Nick Denton had a password consisting of all numbers
If you’ve ever made a comment on any of the Gawker sites then your information has likely been compromised as a result of this breach. Also, due to clowns using the same password on multiple sites there are reports of a number of twitter accounts and other social media sites having those accounts compromised as well.
Don’t use the same password for everything. This can’t be stressed enough. Use a different password, or a variation of the same password.
Slate has rigged up a little widget on their site that claims to check email addresses against the compromised database to see if you’re a victim.
Find it here http://www.slate.com/id/2277768/