Gawker Hacked: User Passwords Leaked
Gawker Media operates a series of popular blogs including Gizmodo, Lifehacker, Kotaku and Jalopnik. They recently suffered a security breach that (potentially) has exposed the passwords of all of the commenter accounts on their sites – all 1.25 million of them.
Hackers gained root level access to Gawker’s servers and were able to obtain a copy of the database contents that stored Gawker’s user information. This information included the domain associated with the account, the email address and an encrypted version of the password.
However, the encryption method used was weak, which allowed the hackers to reverse engineer around 188,000 of the passwords. Although the majority of the passwords are therefore safe, those who have a habit of reusing passwords for other sites and services are highly encouraged to change them as soon as possible.
The breach is being blamed for a Twitter spam attack; accounts are being hijacked for the purpose of spamming out tweets about “acai berry”.
Webmasters are especially vulnerable. The leak of domain and password information means that any webmasters who reuse passwords are an easy target. As such, it is worth taking a few moments to ensure that your site and hosting account is secure – do you follow good password practices?
First, the Bad News
Well over one million Gawker accounts have been leaked and, due to their poor security protocols, many of the passwords can be reverse-engineered.
Anyone who registered for any of Gawker’s sites using a password that they’ve also used elsewhere is at risk. That risk is magnified further if the password is one that can be easily guessed either by a dictionary attack or similar method.
There are literal national security issues related to this leak. It is crucial that webmasters, as well as all users of Gawker, treat it with the appropriate amount of urgency.
If you’re on the list, you should change all passwords that might have been shared. Unfortunately, if you forgot your password, there is no way to retrieve it (only request a new one) so you may want to take the opportunity to remove all shared passwords from your list of sites and services.
However, despite the seriousness of the hack, it’s likely that only a relatively small number of people will be affected; those who followed good password practices will be safe.
Now, The Good News
As bad as the leak is, the good news is that it takes a combination of serious missteps with password security for one to be at risk:
- Password Reuse: Since the Gawker account itself isn’t terribly valuable (it is only a commenting account after all), the password only becomes valuable if it has been reused for more important accounts.
- Weak Passwords: The only method for decrypting the passwords is to guess certain words, so only weak passwords are vulnerable. Potentially, better passwords could be ‘brute forced’, but with over 1 million targets and so many weaker passwords ripe for the picking, it’s unlikely that much time will be spent on the tougher nuts.
- No 0Auth: Those who connected to Gawker via either their Twitter or their Facebook accounts are safe. Their passwords were never exposed due to the use of non-password login. In short, there is nothing to expose.
So, while the hack and leak is very serious, the actual number of affected users will only be a small fraction of the total accounts leaked. In fact, considering that less than 1/6th of the accounts have had their passwords cracked at all is a sign that the impact, though large, won’t be as big as it could have been.
What You Need to Do
If your password was compromised and you think there is a chance that you used a password you’ve reused elsewhere, you need to change those passwords as soon as possible. This includes your FTP, CPanel, support account, billing and other hosting passwords.
Why not think of this as an excellent opportunity to revamp the way you approach passwords and bring all of your logins up to code. If you haven’t done so, consider getting a system such as LastPass to help manage your passwords and set about changing all of your logins to unique, secure passwords.
To ensure that you don’t have to clean up a mess like Gawker, make sure that your server follows the best security practices and that your CMS stores passwords in a secure manner (ideally using an MD5 along with salt), especially if you allow users to generate accounts.
Though these steps may be fairly basic, they were not applied by Gawker in this case and that is why this particular breach has become such a catastrophe.
The main lesson that should be gleaned from the Gawker leak is the importance of proper password generation and management. Secure passwords and passwords that weren’t shared are not vulnerable and those who followed the best practices with passwords are safe.
As scary as this leak is, those who were smart about their passwords should sleep well tonight. However, those who followed poor practices (or in my case followed them in the past) may want to make some changes.
Rather than look at this as a disaster or a serious problem, it’s an opportunity and an excuse to fix past mistakes and start fresh, making sure that all your passwords are up to code so the next time something like this happens (and it will), there won’t be any need to lose sleep.