X

What you need to know about the Gawker breach (FAQ)

Here's the skinny on what happened at Gawker, what to do if you might be affected, and what you should do to protect yourself when using any Web site.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
4 min read

This weekend's breach of Gawker has readers of the blogging empire's Web sites scrambling to see if their e-mail addresses have been publicly exposed, but even people who don't use the site can learn lessons from what happened.

What happened?
The Web site and back-end database of Gawker was published on the Pirate Bay Bit Torrent site on Sunday. It included Gawker source code, information about a possible site redesign, instant messages between employees, and about 1.3 million user account passwords, usernames, and e-mail addresses. While they were encrypted using DES (Data Encryption Standard), simple passwords may be vulnerable to a brute force attack.

Jon Oberheide, chief technology officer at Duo security, used a tool called John the Ripper on the passwords and wrote a blog post about some interesting patterns he found. "Attackers will undoubtedly be testing the cracked passwords against both personal and corporate services such as e-mail accounts, online banking sites, VPN remote access logins," he wrote.

Who was affected?
Anybody who registered with any of Gawker's sites--Gawker, Gizmodo, Jezebel, Lifehacker, io9, Jalopnik, Kotaku, Deadspin and Fleshbot--is at risk, unless they logged in using Facebook Connect, according to an FAQ on Lifehacker. The exposed data includes a bunch of e-mail addresses of workers at federal, state, and local government agencies, that PBS Newshour reports appear to have been separated out for possible future attacks.

How do I find out if my personal information is in the data file?
Anyone can download the 500MB file to look for their e-mail address in clear text, but it will take bandwidth and time. HD Moore, chief security officer of Rapid7, created a way for people to easily check to see if their information was compromised. He did this by creating hashes, or unique values, for each of the e-mail addresses to protect the privacy but allow people to easily see if their information is in the list. First, you need to create a cryptographic hash of your e-mail address and enter it as lowercase here. Then search for that hash here by clicking on "show options" and setting the condition to MD5 = YourHash and click "apply." If you find an entry in the table that matches your MD5 hash, then your Gawker account has been breached. More information is on the Rapid7 blog.

Another Web site created to check if your information is on the Gawker list by typing in your username and/or e-mail address is called GawkerCheck.com.

Deciding that Gawker posting warnings about the breach on its sites wasn't adequate notice, some people on the Hacker News site began contacting e-mail addresses on the list themselves, according to the Media Mob blog.

What should I do now if my password was among those in the file?
If you used that same password on any other sites you should immediately change it there. Experts recommend not changing the password on the Gawker site until administrators there have completely fixed the security issues.

I don't use that site so I'm safe, right?
You might be safe from having your information exposed in this particular attack, but these types of breaches happen every day so you should be careful what passwords you choose and follow some basic precautions. For instance, don't use the same password at multiple sites. Create a unique password for every site you log into. That way your other accounts won't be impacted. This may have already posed a problem for some Gawker users. A Twitter representative attributed spamming on Twitter on Sunday to people having the same password for both sites.

It's very important to choose strong passwords. Passphrases, sequences of words, or other text are harder to crack than passwords because they are longer. Mixing in uppercase and lowercase letters, and using numbers and symbols, greatly increases the strength of the password or passphrase. More tips for choosing strong passwords can be found here. Information about password managers is here. And you can test the strength of a potential password at this Microsoft Web site.

Who did this?
A group calling itself "Gnosis" appears to be behind the attack. The name could refer to an operating system from the 1970s from a company called Tymshare or to the dictionary definition pertaining to knowledge of spiritual matters. There isn't much information available about the group.

Why was Gawker targeted?
Gawker said in July that it was targeted in a denial-of-service attack by people associated with the 4chan message board after reporting that the group had harassed an 11-year-old girl. Although the Gnosis group said in the file it uploaded to the Internet that it is not 4chan, it praised 4chan, as well as Anonymous, a loose group of WikiLeaks supporters who have been orchestrating denial-of-service attacks on Visa, PayPal and others who have cut off the whistleblower project. Among the information released by the group were what appeared to be instant message chats between Gawker employees discussing 4chan. In the messages the participants are suggesting possible headlines such as "Suck on This, 4Chan," "Nick Denton (Gawker founder) Says Bring It On 4Chan, Right to My Home Address (After The Jump) and "We Are Not Scared of 4chan Here at 210 Elizabeth St NYNY 10012."

"We went after Gawker because of their outright arrogance," a source claiming to be from Gnosis told blog Mediaite "We have had access to all of their emails for a long time as well as most of their infrastructure powering the site. Gawkmedia has possibly the worst security I have ever seen. It is scary how poor it is. Their servers run horribly outdated kernel versions, their site is filled with numerous exploitable code and their database is publicly accessible."

Asked for comment via e-mail, Denton replied: "We're saving our responses for commenters, who are the people directly affected, after all. You can find some of mine in http://gawker.com/tag/crosstalk."

Forbes has a fascinating article filled with details on how the attack was done that every Web site owner should read.