Network News

X My Profile
View More Activity
Posted at 2:40 PM ET, 12/13/2010

My Gawker account got compromised. Now what?

By Rob Pegoraro

As you may have heard, Gawker Media had a little security breach over the weekend.

gawker_logo.jpg

A group calling itself Gnosis cracked the New York firm's servers and downloaded a vast stash of data, including weakly encrypted password records. If you've left a comment at Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin io9 or Fleshbot (last site, as its name would suggest, is extremely NSFW) or just opened an account at any of those sites, you should assume that your username, e-mail or password was compromised.

Somewhat to my surprise, I'm among that contingent.

I don't remember ever leaving a comment on any of those sites, although I do read Gizmodo, Deadspin and Lifehacker pretty often and have linked to the latter's how-to posts numerous times. But when I checked the e-mail address I usually hand out for site registrations using a third-party tool, it showed up. (The Post Co.'s Slate has since posted a simpler widget you can use.) And when I clicked Gawker's reset-password link, it obligingly sent a confirmation notice and new password to that account.

In doing that, it also wiped out the old password, which I don't remember. Oops.

Unfortunately, I do know that I've used one of a handful of variations of a common word -- no, not "password" -- for some low-value site registrations that don't involve anything more dangerous than posting comments.

That, however, is more recycling than my most recent advice allowed. There, I made an exception for "passwords that only protect preferences at a site."

All I can say in my defense is that, look, my job requires trying out new sites all the time. At a certain point, you just type in the same password as before.

I should have done a better job. So should have Gawker. Forbes' Daniel Kennedy posted a recap that describes serious issues with Gawker's entire security system. The CEO recycled passwords among important sites, servers ran on obsolete builds on Linux, managers ignored the problem for weeks and so on.

(Gawker Media chief executive Nick Denton seems to be taking blame for the breach, showing up on a comments thread with this remark: "I'm here for my beating.")

So now what? Security expert Bruce Schneier- - whose recent critiques have made him a popular favorite to run the Transportation Security Administration -- had a simple prescription when I e-mailed him for comment: "If your password is compromised, change it everywhere you use it."

No argument there. I'll just have to go through all my site registrations -- starting with the ones at the highest-publicity sites -- and change them to non-duplicate passwords. (In the meantime, if you see a "Rob Pegoraro" or "robpegoraro" talking nonsense -- or at least, a different sort of nonsense -- elsewhere on the Web, don't assume it's me.)

What I don't do, and you shouldn't either, is respond with a revival of password Puritanism. Choosing various cracking-resistant, but difficult-to-remember passwords for sites that don't involve your money, your e-mail accounts or anything else that would pave the way to identity theft is a waste of your brain's processor cycles and storage.

So is getting into a routine of changing passwords every 30 or 90 days. As Schneier observed last month, that does nothing to prevent the typical damage after an account compromise. As I wrote in my own rant on the subject, those policies increase the opportunities for password exposure through carelessness (somebody grabs the Post-It note you stuck to the monitor after the 10th mandated reset of your account), phishing (somebody sends you a fake e-mail asking you to reset your password, and you forget to check the address it sends you to), or "social engineering" (somebody pretends to be you and calls up the help desk to say they just can't remember the password and want to have it reset).

Did you have a Gawker account compromised? If so, what's your next move?

By Rob Pegoraro  | December 13, 2010; 2:40 PM ET
Categories:  Digital culture, Recommended reading, Security  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Another top ten: The Twitter year in review
Next: Facebook Memes 2010

Comments

"Your email account does not appear to be in the released database."

Cool.

So that comment about the goat, the feather duster, and the French Lieutenant's women wasn't you?

Posted by: wiredog | December 13, 2010 3:06 PM | Report abuse

What is Gawker? What kinds of interests do users have who register for accounts with Gawker? And does it now appear to be an unsafe site that users should avoid?

Posted by: seltzer1 | December 13, 2010 3:27 PM | Report abuse

Most services (yes sorry WashPost that includes you) just aren't valuable enough to track and change every couple of months, and too prolific to even track.

While Facebook Connect improves things a little, replaces password theft with other privacy invasions like demanding access to my friends list, profile pictures etc.

The right solution for that class of security is OpenID. It puts users in control by centralizing passwords, without giving away more than just an encrypted token.

The irony here is to even make this comment on WashPost, I was solicited for a password, valid email address and other PII for something that IMHO is very low value. Is WashPost any better at security than Gawker? I have my doubts.

Posted by: stephbuwsp | December 13, 2010 3:32 PM | Report abuse

McDonald's and some other big name company had their website databases hacked into last week. I've gotten a couple of those Dear customer your user information was compromised emails.
While they do not believe they were trying to get specific user information, the email customer database information was compromised as a whole. I'm doing what every good American that doesn't want to raise suspicion is doing and ignoring the web based database hijackings on a grand scale, that are being questioned by the media so hackers do not follow me home.

Posted by: stella667 | December 13, 2010 9:22 PM | Report abuse

I have an easy way to set passwords that differ for each Web site and I don't forget them. I use a phrase like "I like surfing the Web for fun at [website]" and then use a 2, 3, or 4 letter code for that Web site. So my Washington Post password would be: IlstW4faWP. My Gawker password would be IlstW4faGK. Those are very strong passwords and easy to remember. I keep a list that just shows the 2-letter code for each Web site. For very sensitive Web sites that require more I use the same system but tack on a 5 digit code at the end (I always use the same 5 digits).

Trust me, I am a forgetful person but this works very well. I'm not saying this is perfect. No, those aren't my actual passwords. I'll let you come up with your own memorable phrase.

Posted by: KeithW2 | December 14, 2010 12:19 AM | Report abuse

I don't have a Gawker account, and even if I did, I would not lose sleep about it if it was compromised. I use a throwaway email address and the same password for all sites where I have no choice but to register. I even have a fake Facebook account. Other than my main email address which is connected to my financial and online shopping accounts, I really don't care about any of the several emails and website accounts being compromised.

There are too many passwords I would have to remember. Every once in a while, I forget what password I used for a site because some insist you include a number, so I check my Firefox passwords to get it, and I am stunned at the amount of sites I have registered with and have passwords for. Simply too much.

Posted by: RickJohnson621 | December 14, 2010 12:38 AM | Report abuse

Their security is not my problem. That's how it should be for everyone. You should be able to leave a Gawker account alone with monkeys on meth and not care about the results.

Posted by: Nymous | December 14, 2010 3:50 AM | Report abuse

Gawker sent me an email, but the Slate widget indicates I'm not in the hacked database.

Slate also says: "If you left a comment but did not sign up for an account with Gawker, your data would not have been compromised." I hope that is true.

Ironic that everything on Lifehacker is a "hack," but the Gawker hack is not a hack...it's a "compromise."

Posted by: GaryJean | December 14, 2010 8:49 AM | Report abuse

I'm a starred commenter under a different name at Gawker. The widget showed my info was out there. The minute the alert went up on Sunday at Gawker, I changed my p/w. Last night my associated email required a weird p/w re-set there, which I did. So far that's it. We are assured Measures Are Being Taken. It's unfortunate that because of the snark on some of the sites, even those of us who think 4chan should always be left alone and serves a purpose and/or think Wikileaks performs an invaluable service should also be penalized by the hackers too, but such is life.

Posted by: Beckola | December 14, 2010 9:53 AM | Report abuse

Same thing here: got a mail yesterday from teamhint@hint.io and then one today from Gawker informing of the breach. I (stupidly, I know, but my memory is poor) used the same password for quite a few sites, including my email and FB. I changed those passwords immediately and am hoping for the best.

Posted by: jim24 | December 14, 2010 11:11 AM | Report abuse

I got that same email on Sunday... I have NO idea where I used a Gawker account especially since I dont even recognize any of the sites listed.

Posted by: jdubyaa | December 14, 2010 3:03 PM | Report abuse

"I have NO idea where I used a Gawker account especially since I dont even recognize any of the sites listed."

That's my problem, too. I don't ever recall setting up a Gawker account or one at any of the other sites Rob lists. Yet the Slate widget tells me that my info has been released.

This is not too much of a problem as I use a permutation of the excellent "IlstW4faGK" idea above.

But how do we find out on which website we registered? Are there more sites than those listed?

Is there some sort of master holding company that runs all of these sites and controls our information?

Posted by: Georgetwoner | December 14, 2010 6:18 PM | Report abuse

rob, i suggest you google "disposable email addresses" for managing web login accounts.

http://en.wikipedia.org/wiki/Disposable_email_address

i received an email from gawker saying that my email account had been compromized. i checked and it was one of many disposable one time email addresses i use to enter reader comments on rare occasions (such as this).

a unique password for each site is not so difficult if you add the first letter of the site being accessed to a standard disposable password. using wpassword for the password to this site is only slightly more difficult that remembering my password is password.

finally, my thought is that you have already given too much information regarding your particulars, especially for a person with a public facing job.

Posted by: ronpaul4prez | December 16, 2010 6:25 AM | Report abuse

Post a Comment

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.




characters remaining

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company