Gawker breach fallout: LinkedIn, Amazon reset some users' passwords
Users and companies are trying to sweep up the mess caused by this weekend's breach of roughly 1.3 million reader accounts at Gawker Media. And a few of them are showing some surprising, welcome resourcefulness.
LinkedIn, for example, scanned through the archive of usernames, e-mail addresses and passwords posted by the Gawker hackers. When the business-networking site spotted its own users in that list, it reset their passwords and notified them via e-mail.
Amazon has done the same thing. A blog post by Dutch teenager Daan Berg recounts a similar password-reset e-mail from Amazon and compliments the company for its initiative. Washington-based Associated Press video producer Matt Friedman wrote on Twitter that he'd received the same notice and forwarded a copy to me.
Unlike LinkedIn, however, Amazon has yet to post a notice confirming that it's taken this step. It should: Phishing e-mails will probably adopt this theme as a lure, and the good guys can easily set themselves apart from the bad by saying in public, "Yes, we're sending those messages."
(1:43 p.m. Amazon spokeswoman Mary Osako wrote that the company did send those e-mails to "some customers" but did not give a number.)
As for my own compromised password -- as you may recall, I couldn't remember the password I'd used -- I got a big help from a reader. He had seen my post, had been in a similar situation and did me the favor of looking up my name -- turns out I'm the only Pegoraro with an account at a Gawker site. He then provided a highly technical workaround through which I could try encrypting different passwords to see which one matched the scrambled entry in the Gawker records.
I was relieved to see that I hadn't chosen any of the top 50 Gawker passwords. The most embarrassing? Some 3,000 people had picked "123456."
I had, however, used this only slightly more complicated password at many other sites. The first one that came to mind was Pandora. Fortunately, I was able to change my password at the Web-radio service before anybody could add a Creed or Celine Dion station to my account.
Beyond tracking down which other accounts share that password, I have to come up with new passwords for those sites. They don't have to be high-security logins that will resist extended, brute-force computing attacks. For help with that, see Bruce Schneier's post from January 2007. But they do need to be distinct and yet somewhat easy to recall.
The latter requirement is trickier. It can be frighteningly easy to memorize passwords that are total gibberish -- in my own worst example, 26-character WEP wireless-network passwords -- if you have to type them in often enough. But most sites don't offer that much practice. Either they save your login with a cookie, or your browser auto-completes it for you, and it's easy for the password to fade from memory.
What's your recipe in this situation? Earlier comments on this have shown some creativity. How do you go about this exercise in compressed-prose composition?
| December 15, 2010; 12:08 PM ET
Categories: Digital culture, Security
Save & Share: Previous: Christmas gift ideas for all kinds of gamers
Next: Backup for a minute: What should Marc Fisher's son have done?
Posted by: TwoTooth | December 15, 2010 12:26 PM | Report abuse
Posted by: wiredog | December 15, 2010 12:43 PM | Report abuse
Posted by: boba4 | December 15, 2010 12:44 PM | Report abuse
Posted by: DavidFlores | December 15, 2010 1:26 PM | Report abuse
Posted by: koalatek | December 15, 2010 2:27 PM | Report abuse
Posted by: ResidentE | December 15, 2010 3:40 PM | Report abuse
Posted by: danielleshelley | December 16, 2010 1:06 AM | Report abuse
Posted by: mikebecvar | December 16, 2010 7:44 AM | Report abuse
Posted by: tojo45 | December 16, 2010 8:07 AM | Report abuse
Posted by: MrM1 | December 16, 2010 8:20 AM | Report abuse
Posted by: WashingtonDame | December 16, 2010 9:24 AM | Report abuse
Posted by: dangreen3 | December 16, 2010 10:17 AM | Report abuse
Posted by: rw-c | December 16, 2010 10:34 AM | Report abuse
Posted by: Rocc00 | December 16, 2010 12:57 PM | Report abuse
Posted by: Rocc00 | December 16, 2010 1:05 PM | Report abuse
Posted by: pxkatz | December 16, 2010 2:53 PM | Report abuse
Posted by: Idan_Shoham | December 16, 2010 3:52 PM | Report abuse
Posted by: swschrad | December 16, 2010 6:51 PM | Report abuse
Posted by: shoestrade1930 | December 16, 2010 8:08 PM | Report abuse
Posted by: taonima2000 | December 16, 2010 9:20 PM | Report abuse