Kotaku and Gawker Media hacked

Phil Jaenke 13 Dec, 2010 at 11:53am ET Article published in Tech

If you’ve ever registered an account at Kotaku, or any Gawker media site—which would include Lifehacker, Gizmodo, and Gawker—your email address, username, and password are probably now in the hands of at least 500 people whom you’ve never met and probably never will. And they’re not people authorized to have that data.

A group identifying itself as “#Gnosis” gained access to all of Gawker’s assets including their entire user database, internal sites, confidential login information for restricted media access sites, and logins and data for external resources Gawker Media used. They then engaged in a campaign of harassment over several days while copying a very inadequately secured MySQL database containing over 1.3 million users of all of Gawker Media’s sites. They then proceeded to package this up and ship it off to nobody knows where in addition to putting up a Torrent—currently with over 300 seeds.

Gawker has issued a public apology, and recommended to all users that they immediately change their passwords on all of their sites—though you only need to change your password once. If you use the same login information on any other site—then those accounts are compromised as well.

Unfortunately, the majority of the claims do appear true. And anyone with a remotely modern computer can easily crack your password—Gawker elected to use the very obsolete DES algorithm, which can only handle a maximum of 8 characters. Gawker didn’t take enough precautions when coding to handle users and passwords, and “#Gnosis” almost certainly got in through some known exploit that Gawker or their host had missed.

The group #Gnosis released a document taunting and mocking Gawker, as well. The document is rife with spelling, grammatical and gross technical errors, as well as juvenile humor, obscenities, and slurs that are favored by Anonymous and the self-described /b/tards – who are also specifically greeted.

Comments

13 Dec 2010 ~ 11:58am BuddyJ This doesn't just apply to Kotaku, Gawker and Lifehacker. Their full list of haxed sites is:

* Gawker.com - New York City media and gossip
* Gizmodo - Gadgets and technology
* Kotaku - Video games
* Jalopnik - Cars and automotive culture
* Lifehacker - Productivity tips
* Deadspin - Sports
* Jezebel - Celebrity, Sex, Fashion for women
* io9 - Science fiction
* Fleshbot - Porn
* Gawker.tv
* Cityfile
* Valleywag - San Francisco and Silicon Valley gossip
* Gawker Artists - Contemporary/Rising Art Registry[11]
* Defamer - Hollywood news and gossip[12]
* Sploid - News,Games/Tech
13 Dec 2010 ~ 11:59am Thrax Find if your email address got leaked by the Gawker hack
13 Dec 2010 ~ 12:15pm BuddyJ Thanks! That's what I was looking for. I got hit, but I think all my passwords are changed and strongly typed.
13 Dec 2010 ~ 12:15pm Thrax I got hit, too, but on an old email address with a password I know I haven't used in years. I'm good.
13 Dec 2010 ~ 12:34pm Thrax An excellent article on the hack.
13 Dec 2010 ~ 12:41pm MiracleManS I can say for certain I never used any of those sites. Yay me?

As a side note, talk about bad security practices. Sheesh.
13 Dec 2010 ~ 1:36pm Cliff_Forster While all our cyber crime experts are trying to figure out how to put an end to pirates on bit torrent....
14 Dec 2010 ~ 1:42am Bradley It's all over reddit and torrents... pretty sure more than 500 ppl have it. maybe 5000+. I wish someone could have also gotten the CMS running on a test server just for the fun of it.
14 Dec 2010 ~ 2:22am pseudonym

Cliff_Forster wrote:

While all our cyber crime experts are trying to figure out how to put an end to pirates on bit torrent....

Goooooooo Money!

Beyond that, Gawker had a huge ego about this sort of thing, they paid for it.
14 Dec 2010 ~ 12:32pm the_technocrat over 9000 people have this information now
14 Dec 2010 ~ 3:36pm ardichoke Cool story Bradro
14 Dec 2010 ~ 3:55pm Bandrik Epic facepalm, Gawker. Way to go. You win a nomination for the 2010 Digital Security Derp Award. Using encryption designed back in the 70's? Wow.

Also, a slight chuckle was the Spaceballs reference from the article...

Forbes Blog wrote:

1,958 Gawker usersâ€™ password was â€˜passwordâ€™. We havenâ€™t finished analyzing the file to determine how many users had 1-2-3-4-5, the combination on my luggage.
14 Dec 2010 ~ 4:22pm Kwitko Gawker's too big and awesome to let a little thing like outdated encryption ruin their day (and the day of 1.6 million of their peasant friends.)

As shitty as this sounds, couldn't have happened to a better organization.
14 Dec 2010 ~ 9:08pm Linc McDonalds and DeviantArt have also been compromised, though I hear it's just data, not passwords. Not everyone sucks at password hashing as badly as Gawker.
14 Dec 2010 ~ 10:36pm Bandrik Oh noes not my DeviantArt! Where else would I go for all my animevideogamecrossoverfanficcomics if they get compromised and all disappear?!
14 Dec 2010 ~ 10:53pm Cliff_Forster Terrible security and all, isn't it kind of like saying, she had it coming because she wore a short skirt and too much lipstick?

The problem is that cyber criminals rarely get caught, and when they do get punished the geek media glorifies the hackers as a counter culture anti hero. Bottom line is that these guys are criminals and there needs to be a real effort to go after them and prosecute.

Lets say someone hacks Icrontic, I'm not going to look at Prime and Lincoln and say, well you guys should have done better, I am going to say, how do we find the guys that did this and hold them accountable? If it happened, who would you even call? What would you even do? Is there even a legal play-book to follow to get these guys? These are the questions for the digital world we live in.
14 Dec 2010 ~ 11:16pm ardichoke

Cliff_Forster wrote:

I am going to say, how do we find the guys that did this and hold them accountable?

If they're any good, you can't and you don't.

If it happened, who would you even call?

Nobody, law enforcement doesn't take these kind of hacks seriously unless serious personal information (read: SSN, Credit Card info, etc.) are leaked. In that case it's usually the company storing the information insecurely that is punished (and rightly so). Sure, punishing the hacker would be great, but if they're any good they erased their footprints. Hacks are stunningly easy to cover up and there are laws about how securely you must store sensitive personal information.

What would you even do? Is there even a legal play-book to follow to get these guys? These are the questions for the digital world we live in.

Restore from backups if anything was defaced, fix your security, move on with your life.

There is no legal playbook, as I said before, law enforcement doesn't take this kind of hack seriously (nor should they, imho; if they did it would bog down law enforcement painfully).

I don't think you realize how many sites are hacked every day Cliff. If law enforcement had to take every one of them seriously, we would need orders of magnitude more law enforcement. It would be a serious burden on the system. This is a case of "oh noes, a site leaked passwords". Get over it. If you're using good login practices (specifically, not using the same PW for every site) then you have nothing to worry about. If they had leaked SSNs, CC #s or something like that, this would be cause for serious concern (and serious lawsuits filed against them for lax security). It's not.
14 Dec 2010 ~ 11:26pm Linc

Cliff_Forster wrote:

Lets say someone hacks Icrontic, I'm not going to look at Prime and Lincoln and say, well you guys should have done better

It's funny you say that, because Icrontic was hacked in 2003 and a quarter million forum posts were lost because of bad backups.

Notice I say "because of bad backups" and not "because some punk hackers nuked our server"? That's the reality we live in daily as website owners. If you don't have strong security practices and backups, you're a few clicks away from owning nothing.
14 Dec 2010 ~ 11:27pm primesuspect

ardichoke wrote:

Nobody, law enforcement doesn't take these kind of hacks seriously unless serious personal information (read: SSN, Credit Card info, etc.) are leaked.

I'm going to refute this with very, very first-hand experience.

If you know your Icrontic and Short-Media history, you'll know that we were the victims of a minor defacement (a combination of script-kiddie BS and social engineering failures). Our server was in Southfield, MI and the Southfield Police took it VERY seriously. The detective that was assigned to our case was a hardass, and contacted the jurisdiction where the perp lived. He said he'd go all the way with us, even extradition if it came to that.

Point being: It doesn't have to be a "major" hack; if the law is broken, the police have an obligation to take it seriously.
14 Dec 2010 ~ 11:28pm Linc So there's two sides to this coin, and we've seen both.
14 Dec 2010 ~ 11:29pm primesuspect lol @ Lincoln and I typing furiously three feet away from each other, answering different posts.
14 Dec 2010 ~ 11:45pm ardichoke Okay, from what we've seen it's RARE for law enforcement to care about some script kiddie exploiting a site.... and given the number of hacks that we see and the fact that the vast majority of them are due to poor security, bad passwords, out of date software or other webmaster stupidity, I can't say that I blame them.

Terrible security and all, isn't it kind of like saying, she had it coming because she wore a short skirt and too much lipstick?

Because I feel like digging on Cliff some more, no, it's more like Paris Hilton walking, nude, into the middle of a prison riot shouting "GEE, I HOPE I DON'T GET RAPED".
15 Dec 2010 ~ 12:27am Bandrik

ardichoke wrote:

It's more like Paris Hilton walking, nude, into the middle of a prison riot shouting "GEE, I HOPE I DON'T GET RAPED".

Main problem with that argument is that you can't rape the willing. =P