Readers’ passwords on multiple Gawker Media sites, including gossip blog Gawker.com and technology blog Gizmodo, were compromised over the weekend by a successful hacking effort carried out by a group called Gnosis.
Gnosis have made the fruits of their efforts publicly available on the Pirate Bay in a single 500 MB torrent which includes a “database dump,” complete with cracked passwords, the site’s source code, a screenshot of an upcoming redesign, and more.
They even took the time to introduce the torrent with a scathing message directed at Gawker, reproduced here in all its grammar and spelling-ignorant glory:
So, here we are again with a monster release of ownage and data droppage.
Previous attacks against the target were mocked, so we came along and raised the bar a little.
F*** you gawker, hows this for "script kids"?
Your empire has been compromised, Your servers, Your database's, Online accounts and source
code have all be ripped to shreds!
You wanted attention, well guess what, You've got it now!
According to the hackers, Gawker had previously criticized Gnosis for a smaller-scale attack, prompting this latest one, which resulted in leaks of not only readers’ passwords, but also passwords and chat conversations belonging to Gawker Media writers.
As easy as it would be to link Gnosis to 4Chan and Anonymous-affiliated Operation Payback, a pseudo-collective famous for its DDoS attacks targeting Scientology, anti-piracy organizations and WikiLeaks opponents, Gnosis has distanced itself from that group in multiple statements.
Gawker Media is the parent company for 10 Web properties, including the celebrity-obsessed Gawker.com, sports blog Deadspin, and consumer electronics news site Gizmodo. Each of these three blogs see over five million monthly unique visitors, so this security breach is not inconsequential.
All Gawker properties posted the following short statement on Sunday afternoon, urging users to change their passwords:
Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you've used the same passwords.
We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. And, yes, the irony is not lost on us. For tips on creating strong passwords, see this post on Lifehacker.
To change your password on Gawker, click your username at the top of the page and choose the "Password" link towards the middle of the next page.
Probably the most embarrassing thing to come out of all this is that thousands of users apparently still think “password” is a good idea for a password. At least make it “password1988” or something! Come now, people.