Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords.
We’re deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. And, yes, the irony is not lost on us. For tips on creating strong passwords, see this post on Lifehacker.
Matt Brian at The Next Web:
As we reported earlier, it appeared that the Gawker Media organization’s social media accounts (namely Twitter) had been compromised. While Twitter specifically appears to have been fixed, there’s more to the story. We have been in touch, personally, with the a member of the party responsible for the attack and it appears that the compromised information goes far beyond just a simple Twitter account.
From the information we have been provided, it appears that some of the base infrastructure of the Gawker Media organization has landed in the hands of people completely unrelated to the site or business itself. Though we were initially under the impression that it was the 4chan-founded group of Anonymous we have since been told, via email, that the responsible party has no affiliation with Anonymous or others. In fact, here’s what we’ve seen, in whole:
It has come to our attention that you are reporting about gawker.com being hacked by Anonymous and Operation payback in the war against the wikileaks drama that is currently taking place. While we feel for Wikileaks plight, and encourage everyone to donate and mirror the site, we are not related to Operation Payback or engaged in their activities. We have compromised all their email accounts and databases, and a significant portion of the passwords have been unhashed into plaintext.
To prove the validity of our claims, here is a sample of the database: [redacted]
While we were, of course, skeptical of the information the claims were potentially huge. That said, we did ask for proof and proof was provided via screenshots of information that would typically only be available to a site administrator or owner. For example, here is a screenshot from the Campfire chat program that Gawker uses to communicate in real-time:
Interestingly, it appears that while 4chan wasn’t responsible for the breach of security, the data did end up on the site as evidenced by a later Campfire screenshot below:
Leslie Horn at PC World:
The database is home to about 1.5 million usernames, emails, and passwords. Gawker originally denied that there had been a breach.
“No evidence to suggest any Gawker Media’s user accounts were compromised, and passwords encrypted anyway,” tweeted Gawker editorial directer Scott Kidder.
However, Kidder eventually confirmed the hack.
Colby Hall at Mediaite:
Over the last 24 hours Gawker Media’s network of sites have been under attack from a group who have identified themselves “Gnosis,” a seemingly mysterious collective of hackers who has been falsely considered part of the 4chan-related group of renegade vigilantes knows as Anonymous. Via several private email exchanges with Mediaite, an individual claiming to represent “Gnosis” has explained both the reasoning and methodology of his actions, which has led to a compromised commenter database and a content management system.First and foremost, it appears that new Gawker Media passwords are secure, not available to the individual claiming responsibility for the security breach, at least according to Gnosis. As Mediaite reported earlier, when asked why Gawker was being subjected to a cyber-attack, Gnosis cited “arrogance” from management and staff with regard to the hacker community:
We went after Gawker because of their outright arrogance. It took us a few hours to find a way to dump all their source code and a bit longer to find a way into their database.
We found an interesting quote in their Campfire logs:
Hamilton N.: Nick Denton Says Bring It On 4Chan, Right to My Home Address (After
Ryan T.: We Are Not Scared of 4chan Here at 210 Elizabeth St NY NY 10012
I mean if you say things like that, and attack sites like 4chan (Which we are not affiliated to) you must at least have the means to back yourself up. We considered what action we would take, and decided that the Gawkmedia “empire” needs to be brought down a peg or two. Our groups mission? We don’t have one.
We will be releasing the full source code dump along with the database at 9PM GMT today. You are the only outlet we have told the release time.
When asked about further explanation about the specific attacks, Gnosis explained:
We cannot provide any more information as to how the attack was carried out, because this could be used against us.
We have been cracking the database for about 17 hours and have managed to retrieve 273,789 passwords. If our release schedule wasn’t so tight we could get 500,000+. Included in the dump are passwords linked to accounts from Nasa, about every .gov domain you could imagine and hundreds from banks. One can only pray that they do not use the same password everywhere. The actual database size is 1,247,897 rows, which is 80+% of their database.
(Private data redacted)
We have had access to all of their emails for a long time as well as most of their infrastructure powering the site. Gawkmedia has possibly the worst security I have ever seen. It is scary how poor it is. Their servers run horribly outdated kernel versions, their site is filled with numerous exploitable code and their database is publicly accessible.
We will be releasing the full source code to their site as well as the full database dump later today or tomorrow, when we get enough press to stir up the release. We will also be releasing a text file describing Gawkers numerous security failings.
Adding later in a follow up email:
The database is for the media more than anything. Releasing the source code to a site is all very well and will cause a splash, but
only niche users will be interested in viewing it and sharing it, because the average joe won’t really care about Gawkers (rather
interesting) PHP framework. However if we release the source with 1,300,000 emails and with a portion of them cracked it will (We hope) cause a bigger stir.
On an interesting side note there are 2650 users in the database using the password “password” or “querty”. Of these users one is registered under a .gov email address, 3 are from a .mil addres and 52 are from .edu addresses.
Pascal-Emmanuel Gorby at Business Insider:
This is pretty embarrassing for them, as they’re usually the ones who expose and/or castigate others for security breaches. Gawker has often taunted 4chan, the online community which is often the source of hacking exploits (and has in the past attacked Gawker with denial of service attacks, which only make the site unusable for a little while). But the hacker responsible says he’s not connected to 4chan, or Operation Payback, the WikiLeaks-defending hackers, for that matter.
Gawker recommends changing the password you used to comment, and on any other sites where you used that password to register, as well as your email password.
The hacker says he took aim at Gawker for its “outright arrogance” — and, we would guess, because it’s a pretty good ploy for attention.
More Matt Brian at The Next Web