Gawker Media Password DB Stolen 2

Posted by JD 12/12/2010 at 21:50

So, is was announced on Slashdot and Gawker that much of the Gawker user-password DB has been compromised. They claim to have grabbed 1.3 million user accounts. I’ve seen that my account, password (encrypted-hash) and email address were included in the breach.

1 Password for 1 Website

Anyway, since I don’t use the same password on any two sites, I’m not really concerned except that the email address will probably start getting lots of spam. Oh well. It was a tier 3 email address – not critical, but shared with a few other unimportant web accounts. Passwords are completely unique in my world. I couldn’t tell you what the password is – that is what KeePassX is used for after all. ;)

Long Passwords … not used post-hash

My LH/Gawker passwd was 45 fairly random characters – it was automatically created by KeePassX. The hash in the Gawker DB appears to be only 13 characters. The hackers claim it is DES – a fairly easy one-way hash to crack.

To be clear – my password was not hacked, but since the hash has been compromised and it is only 13 characters, creating a rainbow table of inputs – to – hash won’t take much effort for someone. It is bad enough that an unimportant email address was given away.

Here’s hoping you aren’t one of the many, many brilliant folks with “password” or “password1” or “qwerty.”

Regardless, it is probably a good time to change your Gawker password that is shared across all Gawker websites. They run an ever-growing number of web assets. Some are tasteful – many are not. A few of the more prominent ones are:

  • LifeHacker – Computers, smartphones and doing things that humans do smarter.
  • Gizmodo – Gadgets.
  • Io9 – SciFi

Anyway, I’m off to change that password.

Trackbacks

Use the following link to trackback from your own site:
https://blog.jdpfu.com/trackbacks?article_id=894

  1. JD 12/13/2010 at 09:09

    What did Gawker do right?

    • Left everyone know fairly quickly
    • Provided a useful FAQ on what to do
    • Didn’t store passwords for remotely authenticated accounts.
    • Didn’t store the end-user passwords un-hashed, but calling a DES crypt isn’t really encrypting them either – it is not the current best practice
    • They are working with an outside security consulting company to look for other failures in their setups. That is just the first step. My company has done this and our clients rarely do more than 10% of the recommendations. One company was unwilling to do the single most important suggestion that we made. That was to use reverse proxies to control access to any unwanted services externally.

    What did Gawker do wrong?

    • Being obnoxious; it appears they may have taunted the crackers
    • Using only a 12-13 character hash – 30+ characters would have been nicer and probably prevented most rainbow tables from being created – sha1 hashes would be better. 100 character hashes would make many of these attacks pointless
    • Should force password changes for end users – not just request them.
    • Gawker needs to recognize that *any online server farm can be cracked or made unavailable via DoS. Being arrogant usually doesn’t get you very far with crackers.

    I hope they are working with authorizes to determine who cracked their systems and attempt to take legal action. Illegal activities should have consequences, especially when other people are impacted.

  2. JD 12/17/2010 at 06:18

    So I’ve read a few other articles this week on the whole Gawker breach. A Forbes blog article explained some of the history – like that the CEO’s account was breached in July enough that he asked the tech team to look into it. They didn’t see anything wrong. 4-5 months ago.

    They are still using FTP! Huh? FTP shouldn’t be used for anything that isn’t anonymous downloads. Definitely not anywhere a password is used. SFTP or SCP should be used instead. The account login info for other company’s FTP logins were stolen. Talk about a breach of trust.