Updates at foot of post.
Worried your data has been compromised? Click here to check if you are part of the Gawker data breach.
Gawker Media is under siege at the moment, fighting off attacks from a group of attackers that have been able to compromise the entire database of Gawker Media’s web properties.
Sensitive information has been exposed, including staff conversations, their private passwords used within the network and passwords also used by people who have registered to comment.
All of the above information has been outputted by Gnosis, a group who wanted to seemingly put Gawker back in its place, creating a 500MB torrent file, currently residing on the popular torrent tracker ThePirateBay.
Inside the torrent file lies a file entitled Readme.txt. This file is potentially the most sensitive of them all, for it holds the usernames and passwords used by the entire Gawker staff, focusing particularly on Gawker’s founder Nick Denton.
The usernames and passwords to Denton’s Google Apps, Twitter, Campfire accounts are all listed; Denton uses the same password for them all:
The attackers then go on to list a number of different usernames and passwords of Gawker authors, commenting only to mention the ease of which they are revealed:
Gawker Media uses Campfire as their backchannel to discuss site operations and potential stories. The attackers managed to unearth 4GB of data from the Campfire logs, unveiling seven FTP usernames and passwords setup by a number of different gaming companies:
Details are provided on how to access Gawker’s gaming website Kotaku, referencing the FTP server, username and password and the processes associated with how to access its server and data stored on it.
Back in November, Denton was told by a co-worker that he was spotted logged in to the Campfire backend, this was not him. Instead of safeguarding his credentials, Denton is convinced by other staff members that it was his own fault and doesn’t change his passwords, something he may later regret.
Then it gets even more interesting.
We speculated that the Gawker attacks could be associated with a previous feud between Gawker and 4Chan, where Ryan Tate and other Gawker staff called out 4Chan publicly on the site. This is confirmed when the attackers post up staff conversations relating to the feud, laughing off 4Chan’s so-called attacks and discussing ways they can antagonise 4Chan users even further.
It reads as follows:
rian M
The headeline of your post should be “Suck on This, 4Chan”
Maureen O.
I like the call to make today Everybody Write About 4chan DayHamilton N.
Nick Denton Says Bring It On 4Chan, Right to My Home Address (After The Jump)Ryan T.
We Are Not Scared of 4chan Here at 210 Elizabeth St NY NY 10012Richard L.
don’t forget Fourth FloorRyan T.
Right! And Brian’s headcut illustrationRyan T.
As the lead imageBrian M.
Oh, 4Chan does not want to mess with me once I wind my neck up at themBrian M.
#giirrrrrrlllllllllMaureen O.
hey guess what, 4chan has already declared gawker the winner of the 4chan war! we won!Richard L.
VICTORYRichard L.
what’d they say?Jim N.
USA! USA!Richard L.
MR. OBAMA, TEAR DOWN THAT MOSQUE!Maureen O.
they say that this day will go down in history as the day 4chan failed.Richard L.
that’s terrific.
And here we are today, a retaliation, so it seems.
The rest of the file goes on to list numerous different MySQL databases, security credentials and examples of user accounts compromised in the process. Users that registered on Gizmodo, Lifehacker and Kotaku have found their accounts posted to the file.
Gnosis, the team behind the attacks, pause to show just how many users use “password” in their login details, over 2700 records share the same password at a rough count.
It’s a clear show of strength on Gnosis’ part, who have actually distanced themselves from 4chan in email exchanges between the team and us here at The Next Web.
We have been told that there are still things to come and that Gnosis aren’t finished yet.
UPDATE: If you’re worried about whether your Gawker user password has been compromised or not, the company’s Lifehacker blog has published an FAQ on the issue. Essentially, if you logged in to comment on Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, io9, or Fleshbot you need to change the password for both your Gawker account and anywhere else you use that password.
Gawker says it is working on an ‘Account Delete’ tool, which will be available soon. The only exception to all this is if you logged in via Facebook Connect, in which case you’ll be safe.
Update 2: Worried that Gawker wasn’t quick enough to warn its users of the data breach by email, members of the popular Hacker News website have combined to draft an email warning 200,000 Gawker users about the data breach. If you receive this email, it is one off email that is purely designed to warn you about the breach and get you to change your password.
If you used Facebook to connect, you should be fine.
However, if you connected your Twitter account to Gawker, it is possible that some accounts are tweeting messages containing “Acai Berry” tweets without their consent.
The attack, first reported as a ‘worm’ by Mashable, may actually, it appears, be related to this weekend’s hacking of Gawker Media’s database. @Delbius, leader of Twitter’s Trust and Safety team says: “Got a Gawker acct that shares a PW w/your Twitter acct? Change your Twitter PW. A current attack appears to be due to the Gawker compromise.”
If true (and you’d expect Twitter staff to be in a good position to judge such things) it’s likely to have affected anyone with the same password and email address for their Gawker and Twitter accounts. If you fit that bill, we recommend you change passwords on both accounts immediately.
Is it known what date the data is as of?
@Dain Binder literally till today
Is there a list of user names that have been compromised? Without having to download the whole torrent file I mean?
@Bradley Farless yep here you go: http://www.google.com/fusiontables/DataSource?dsrcid=350662
@Zee Crazy relief when I didn’t come up on there. Guess since I had created the account but rarely if ever logged in.
@Brett Theriault @Zee Remember to check to see if you have an upper/lower case variation of your email address on there. It does change the MD5 a little.
The torrent circulating the net has all usernames and email addresses in plain text, its also not just the 200K circulating but it appears to be everyone. A crappy side effect of this would be that I expect spammers to get a hold of this and start sending like crazy since they have 1+ million email addresses.
@Jeremy L Does it have the passwords too?
Ok my Gizmodo password is the one I use on all those miscellaneous blogs. Doesn’t matter if someone cracks it..Good on them..
It makes sense that Gnosis would deliberately distance itself from 4chan, because Gawker getting hacked by 4chan is what Denton has been daring them to do for months. Getting hacked by some second-string nobodies, well, that’s gotta hurt. Note that it’d be a smart move on 4chan’s part to get someone else to do the attack, for just this reason (and because Gawker staff are, as is obvious from the transcripts) already reading 4chan looking for such announcements.
@raincoaster I get that being hacked by “second string nobodies” would sting more than being hacked by 4chan, but wouldn’t 4chan still want to take credit? And aren’t 4chan attacks generally public knowledge preceded by a call-to-arms before the attacks? Dunno, doesn’t strike me as a 4chan thing.
@raincoaster I think that Gnosis and Anonymous have different priorities and want to keep them separate. Gnosis have contacted me to say that although they aren’t 4chan’ers they were part of Anonymous at one time.
@raincoaster Gnosis is primarily made up of OG Anon (pre Clambake)
how can i use that link on google that bradley gave? it only give domain name not user names so whats the use of it??
@Olympe The instructions are in one of the cells towards the right hand side. You need to convert your email address into an MD5 hash and then search the complete spreadsheet to see if it is listed.
My question is this. if I see my email listed, does it mean they have my password too? Mine consists of Upper/lowercase/symbols/numbers. I just don’t know how to tell if my password has been compromised. I’d appreciate any help.
@Michael Torres If you look into the full_db.log file that is distributed in the torrent, you’ll notice that the second field (i.e. USERNAME ::: SECONDFIELD) has two characters leading 11 other characters; if it says NULL, or has no entry, then you are ok. If you were to go to http://javascript.internet.com/passwords/unix-crypt(3)-encryption.html, place your password in the first field, click “encrypt password”, put those two letters in the “salt” box, and then click on OK, then what you should see is the same thing as what’s in the second field.
For example, there is a M???Torres listed in the file, with the first entries:
M???Torres ::: tK4cNPRgdQtrs
It M??? had used a common password, then it could hypothetically be very easy to discover that password using the procedure I mentioned above.
In fact, it appears that the people who have hacked gawker have used exactly this sort of procedure to work out the “lemons”.
There are approximately 170 people with “torres” listed as part of their username or email, and of those, only 9 seem to be “safe”.
@Michael Torres
If you look into the full_db.log file that is distributed in the torrent, you’ll notice that the second field (i.e. USERNAME ::: SECONDFIELD) has two characters leading 11 other characters; if it says NULL, or has no entry, then you are ok. If you were to go tohttp://javascript.internet.com/passwords/unix-crypt(3)-encryption.html, place your password in the first field, click “encrypt password”, put those two letters in the “salt” box, and then click on OK, then what you should see is the same thing as what’s in the second field.
In fact, it appears that the people who have hacked gawker have used exactly this sort of procedure to work out the “lemons”.
There are approximately 170 people with “torres” listed as part of their username or email, and of those, only 9 seem to be completely “safe”. 99 of the 170 have email addresses listed, but in the end, and who knows who many of these accounts have easily guessed passwords. A bigger issue is that it seems the entire site has been compromised, so it may or may not be trivial for the hackers or someone using their info to rewrite code to catch new logins as they are generated – and thus perpetuate the insecure situation.
@Michael Torres
If you look into the full_db.log file that is distributed in the torrent, you’ll notice that the second field (i.e. USERNAME ::: SECONDFIELD) has two characters leading 11 other characters; if it says NULL, or has no entry, then you are ok. If you were to go to http://javascript.internet.com/passwords/unix-crypt(3)-encryption.html, place your password in the first field, click “encrypt password”, put those two letters in the “salt” box, and then click on OK, then what you should see is the same thing as what’s in the second field.
In fact, it appears that the people who have hacked gawker have used exactly this sort of procedure to work out the “lemons”.
There are approximately 170 people with “torres” listed as part of their username or email, and of those, only 9 seem to be completely “safe”. 99 of the 170 have email addresses listed, but in the end, and who knows who many of these accounts have easily guessed passwords. A bigger issue is that it seems the entire site has been compromised, so it may or may not be trivial for the hackers or someone using their info to rewrite code to catch new logins as they are generated – and thus perpetuate the insecure situation.
@Michael Torres If you look into the full_db.log file that is distributed in the torrent, you’ll notice that the second field (i.e. USERNAME ::: SECONDFIELD) has two characters leading 11 other characters; if it says NULL, or has no entry, then you are ok. If you were to go to http://javascript.internet.com/passwords/unix-crypt(3)-encryption.html, place your password in the first field, click “encrypt password”, put those two letters in the “salt” box, and then click on OK, then what you should see is the same thing as what’s in the second field.
In fact, it appears that the people who have hacked gawker have used exactly this sort of procedure to work out the “lemons”. There are approximately 170 people with “torres” listed as part of their username or email, and of those, only 9 seem to be completely “safe”. 99 of the 170 have email addresses listed, but in the end, who knows how many of these accounts have easily guessed passwords.
A bigger issue is that it seems the entire site has been compromised, so it may or may not be trivial for the hackers or someone using their info to rewrite code to catch new logins as they are generated – and thus perpetuate the insecure situation.
Well, my MD5 hash did not come up in the list. That’s good. I’d be just caught in the crossfire. I’d rather stay out!
<p>” fighting off attacks from a group of attackers”</p>
<p>LOL What’s left? the staff’s collected wallets!</p>
This sounds very similiar to warnings a commentator posted on one of my posts about Topix, I have conducted a year and a half investigation of Topix.com. I wrote them up here: http://open.salon.com/blog/virginia888/2010/12/02/is_topix_giving_out_users_personal_data_to_the_nsa
Just checked the torrent file, my e-mail and an encrypted password are on there. Meh, I changed that e-mail’s password and I don’t use the same password twice. It pays to be paranoid, everyone.
P.s help by leeching the life out of that torrent! Download but don’t upload, repeatedly.
I have discovered that my email address is associated with one of the compromised Gawker accounts. I have also discovered that I do not have and never have had a Gawker account. Gawker allowed someone to register using my email address without verifying that person’s right to use my email address.
As a result of Gawker’s mismanagement, I was forced to change passwords on over a hundred user accounts.
Is there any way to get the information associated with my email address without downloading the entire torrent file. I already know that my email address appears in the torrent thanks to Slate.com’s widget.
But I have not found any site that will allow me to view the information associated with my email address.
Plus, the link to the torrent file on Pirate Bay given above returns a “Not Found (aka 404)” error. The item “does not, has not, will not, might not or must not exist …”
At this point, I believe use of my email was unauthorized and Gawker failed to verify their user had the right to use my email address.
That is a serious breech of due diligence on Gawker’s part and has caused me grevious harm.