Gawker Hacked - Change your password

[NiX]

Gawker was hacked by.. Anon I guess. Doesn't matter. They leaked everyones shit here. (Gawker response.)

Change your password. Hide yo kids, hide yo wife.

[schild]

Guess I didn't have a gawker network account.

[Yegolev]

Same.  What's gawker?

[Thrawn]

What's gawker?

Also the amount of people using "password" as a password is both scary and hillarious.  But then again I don't use very complex passwords on sites that I'm not to worried if it would get stolen so I have less chance of forgetting them. 

[MahrinSkel]

Includes a lot of other sites, including Kotaku.

Gawker.com - New York City media and gossip
Gizmodo - Gadgets and technology
Kotaku - Video games
Jalopnik - Cars and automotive culture
Lifehacker - Productivity tips
Deadspin - Sports
Jezebel - Celebrity, Sex, Fashion for women
io9 - Science fiction
Fleshbot - Porn
Gawker.tv
Cityfile
Valleywag - San Francisco and Silicon Valley gossip

List by CityPages via LittleGreenFootballs.

--Dave

[angry.bob]

Anyone reading those sites deserves to have their shit hacked. lol at people who actually log in to any of those shit sites, especially the gossip ones.

[Abagadro]

Looks to me like they only grabbed those who had real obvious passwords like "password" and "qwerty" and "asdfgh" rather than being some uber elite hack.

[Tale]

Read about the extent of the Gawker hack and how poor their security is:

http://blogs.forbes.com/firewall/2010/12/13/the-lessons-of-gawkers-security-mess/

[NiX]

Looks to me like they only grabbed those who had real obvious passwords like "password" and "qwerty" and "asdfgh" rather than being some uber elite hack.

They only released the shitty ones. They have something like 1.3 million accounts dumped from the DB.

Will repeat one last time: there are torrents out there with passwords.

Three folders:
"Dumb_passwords.txt" which are, as the file says, dumb passwords (same as one listed on website above). 133kb filesize
"Parsed_db" which is a small portion/sample of the database (64,000+ accounts). 8850kb filesize
"Full_db" which is the entire database with shitloads of passwords (1.3 million accounts). A whooping 73,468kb of filesize (which is A LOT for simple text)!

Good luck!

[NiX]

Looks to me like they only grabbed those who had real obvious passwords like "password" and "qwerty" and "asdfgh" rather than being some uber elite hack.

They only released the shitty ones. They have something like 1.3 million accounts dumped from the DB.

Will repeat one last time: there are torrents out there with passwords.

Three folders:
"Dumb_passwords.txt" which are, as the file says, dumb passwords (same as one listed on website above). 133kb filesize
"Parsed_db" which is a small portion/sample of the database (64,000+ accounts). 8850kb filesize
"Full_db" which is the entire database with shitloads of passwords (1.3 million accounts). A whooping 73,468kb of filesize (which is A LOT for simple text)!

Want to check to see if you're in the huge dump?

Follow these steps:

1. http://pajhome.org.uk/crypt/md5/
2. Enter your email address under "Input", and click on "MD5". Copy the "Result".
3. http://www.google.com/fusiontables/D...?dsrcid=350662
4. Click on "Show Options" and change the filter to "MD5". Paste the copied "Result" and see if it shows up on search. If it does then your password has been compromised and sooner or later will be hacked if they feel like it.

[Ingmar]

I am soooooooooo not entering my email address in a form connected to any of these people.

[NiX]

Google "MD5 Convert". Pick one you think is running on a secure line that can't be back traced.

[Thrawn]

Wait what?  The passwords were just hidden with MD5?  I thought that was just a hashing algorythm and not really designed for use as encryption (and one that is known to not be secure at that).

[KallDrexx]

Wait what?  The passwords were just hidden with MD5?  I thought that was just a hashing algorythm and not really designed for use as encryption (and one that is known to not be secure at that).

Passwords are usually hashed.  Encrypted data means that the data can be decrypted if the password (or whatever) is known, it's a 2 way street.

Hashes are one way, and the only way to determine the source string is to literally try hashing every combination of letters and find out which combination letters results in the same hash.  The MD5 vulnerablility only makes it so that after a certain number of characters the hashes have the potential to be the same for 2 different strings, but it's still unlikely. 

[Tale]

Wait what?  The passwords were just hidden with MD5?  I thought that was just a hashing algorythm and not really designed for use as encryption (and one that is known to not be secure at that).

Read the Forbes article I posted. Gawker appears to have no security guy and the boss used the same password for everything. One employee's password was myname1. And they were strutting around saying "Anonymous and 4chan lol, we're not scared of them, they'll never hack us".

Read about the extent of the Gawker hack and how poor their security is:

http://blogs.forbes.com/firewall/2010/12/13/the-lessons-of-gawkers-security-mess/

[Thrawn]

Yeah, I just quit being lazy and read the article.  I guess the passwords were encrypted with DES, which was cracked over ten years ago it looks like. 

[Morfiend]

Anyone reading those sites deserves to have their shit hacked. lol at people who actually log in to any of those shit sites, especially the gossip ones.

I don't know about this. I read and enjoy Lifehacker. I find they publish some pretty good articles. Nothing mind blowing, but lightly informative.

[Yegolev]

3. http://www.google.com/fusiontables/D...?dsrcid=350662

404 means I'm safe.

[NiX]

Guess they dropped the CSV file. Probably because it was disgustingly large and getting far too many hits.

[Samwise]

I think your link got truncated when you copied it.  Unless that "..." is actually part of the URL.

[Morfiend]

Not sure if this is real or phishing. Google thinks its real. I got this right after getting an email saying I tried to change my WoW password, which I didnt. I checked battle.net and didnt see anything about my password being reset.

Greetings!

We’ve recently been informed that several Gawker Media websites have been compromised. These websites include Gawker, Gizmodo, Kotaku, Lifehacker, Jezebel, io9, Jalopnik, Deadspin, and Fleshbot. To help minimize the effects of this compromise and help keep your Battle.net account safe and secure, we’ve reset your account password. To complete the password reset, please log into Battle.net Account Management (https://us.battle.net/account/management) and follow the provided instructions.

If you are a registered commenter for any of these sites and used your Battle.net email address to sign up with Gawker Media, we also recommend that you update your Battle.net address as soon as possible via Account Management. If you are unable to complete this step or the password reset on your own and believe your account may be compromised, please contact our customer support staff by using the Account Recovery form (https://us.battle.net/account/support/account-recovery.html) and be sure to check out our Account Security Awareness guide (http://us.battle.net/en/security/) for additional security tips and suggestions.

For more information about this situation, please visit Gawker Media’s official announcement (http://gawker.com/5713056/gawker-security-breach-were-here-to-help) or Lifehacker’s comprehensive FAQ (http://lifehacker.com/5712785/faq-compromised-commenting-accounts-on-gawker-media).


Regards,
Blizzard Entertainment

[caladein]

I got linked to http://www.didigetgawkered.com/ from Wonkette which split off from Gawker two years back if you don't want to use the above method.  Slate also has a similar tool up.  Still need to enter in a username or e-mail though.

As for the Blizzard e-mail, I haven't gotten anything like that at least and Gmail seems pretty good about picking out the fake Blizzard emails from the real ones.

[Cadaverine]

Not sure if this is real or phishing. Google thinks its real. I got this right after getting an email saying I tried to change my WoW password, which I didnt. I checked battle.net and didnt see anything about my password being reset.

I got the same thing last night.  I just deleted it, and I tried logging in to the WoW web site, and it was fine.

[fuser]

The fusion table for anyone catching up is: http://www.google.com/fusiontables/DataSource?dsrcid=350662

[Morfiend]

Not sure if this is real or phishing. Google thinks its real. I got this right after getting an email saying I tried to change my WoW password, which I didnt. I checked battle.net and didnt see anything about my password being reset.

Greetings!

We’ve recently been informed that several Gawker Media websites have been compromised. These websites include Gawker, Gizmodo, Kotaku, Lifehacker, Jezebel, io9, Jalopnik, Deadspin, and Fleshbot. To help minimize the effects of this compromise and help keep your Battle.net account safe and secure, we’ve reset your account password. To complete the password reset, please log into Battle.net Account Management (https://us.battle.net/account/management) and follow the provided instructions.

If you are a registered commenter for any of these sites and used your Battle.net email address to sign up with Gawker Media, we also recommend that you update your Battle.net address as soon as possible via Account Management. If you are unable to complete this step or the password reset on your own and believe your account may be compromised, please contact our customer support staff by using the Account Recovery form (https://us.battle.net/account/support/account-recovery.html) and be sure to check out our Account Security Awareness guide (http://us.battle.net/en/security/) for additional security tips and suggestions.

For more information about this situation, please visit Gawker Media’s official announcement (http://gawker.com/5713056/gawker-security-breach-were-here-to-help) or Lifehacker’s comprehensive FAQ (http://lifehacker.com/5712785/faq-compromised-commenting-accounts-on-gawker-media).


Regards,
Blizzard Entertainment

Confirmed by Blizzard to be a scam.

[ghost]

I never click on any link in an email to change my password for anything.   

[Outlawedprod]

Confirmed by Blizzard to be a scam.

Wrong.
http://us.battle.net/wow/en/forum/topic/1536333940

Most likely they sent this just to people who have the same e-mail address registered with battle.net that was in the compromised gawker list.

[Kitsune]

My Yahoo mail account was bitching about repeated login failures when I checked it today, so someone's apparently trying to make a move with the stolen passwords.  Unluckily for them, my gawker password was longer than eight characters rendering what they stole useless, and I wasn't using that password for my email accounts in any event.

On a related note, here is a short paper I wrote on managing password security for my customers' reference.  It's common knowledge among the savvy, but may come in handy for some.

[Tale]

Confirmed by Blizzard to be a scam.

Wrong.
http://us.battle.net/wow/en/forum/topic/1536333940

Most likely they sent this just to people who have the same e-mail address registered with battle.net that was in the compromised gawker list.

A level 85 WoW player responds "Never heard of any of this". How could that be? :)