My Gawker account got compromised. Now what?
A group calling itself Gnosis cracked the New York firm's servers and downloaded a vast stash of data, including weakly encrypted password records. If you've left a comment at Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin io9 or Fleshbot (last site, as its name would suggest, is extremely NSFW) or just opened an account at any of those sites, you should assume that your username, e-mail or password was compromised.
Somewhat to my surprise, I'm among that contingent.
I don't remember ever leaving a comment on any of those sites, although I do read Gizmodo, Deadspin and Lifehacker pretty often and have linked to the latter's how-to posts numerous times. But when I checked the e-mail address I usually hand out for site registrations using a third-party tool, it showed up. (The Post Co.'s Slate has since posted a simpler widget you can use.) And when I clicked Gawker's reset-password link, it obligingly sent a confirmation notice and new password to that account.
In doing that, it also wiped out the old password, which I don't remember. Oops.
Unfortunately, I do know that I've used one of a handful of variations of a common word -- no, not "password" -- for some low-value site registrations that don't involve anything more dangerous than posting comments.
That, however, is more recycling than my most recent advice allowed. There, I made an exception for "passwords that only protect preferences at a site."
All I can say in my defense is that, look, my job requires trying out new sites all the time. At a certain point, you just type in the same password as before.
I should have done a better job. So should have Gawker. Forbes' Daniel Kennedy posted a recap that describes serious issues with Gawker's entire security system. The CEO recycled passwords among important sites, servers ran on obsolete builds on Linux, managers ignored the problem for weeks and so on.
(Gawker Media chief executive Nick Denton seems to be taking blame for the breach, showing up on a comments thread with this remark: "I'm here for my beating.")
So now what? Security expert Bruce Schneier- - whose recent critiques have made him a popular favorite to run the Transportation Security Administration -- had a simple prescription when I e-mailed him for comment: "If your password is compromised, change it everywhere you use it."
No argument there. I'll just have to go through all my site registrations -- starting with the ones at the highest-publicity sites -- and change them to non-duplicate passwords. (In the meantime, if you see a "Rob Pegoraro" or "robpegoraro" talking nonsense -- or at least, a different sort of nonsense -- elsewhere on the Web, don't assume it's me.)
What I don't do, and you shouldn't either, is respond with a revival of password Puritanism. Choosing various cracking-resistant, but difficult-to-remember passwords for sites that don't involve your money, your e-mail accounts or anything else that would pave the way to identity theft is a waste of your brain's processor cycles and storage.
So is getting into a routine of changing passwords every 30 or 90 days. As Schneier observed last month, that does nothing to prevent the typical damage after an account compromise. As I wrote in my own rant on the subject, those policies increase the opportunities for password exposure through carelessness (somebody grabs the Post-It note you stuck to the monitor after the 10th mandated reset of your account), phishing (somebody sends you a fake e-mail asking you to reset your password, and you forget to check the address it sends you to), or "social engineering" (somebody pretends to be you and calls up the help desk to say they just can't remember the password and want to have it reset).
Did you have a Gawker account compromised? If so, what's your next move?
| December 13, 2010; 2:40 PM ET
Categories: Digital culture, Recommended reading, Security
Save & Share: Previous: Another top ten: The Twitter year in review
Next: Facebook Memes 2010
Posted by: wiredog | December 13, 2010 3:06 PM | Report abuse
Posted by: seltzer1 | December 13, 2010 3:27 PM | Report abuse
Posted by: stephbuwsp | December 13, 2010 3:32 PM | Report abuse
Posted by: stella667 | December 13, 2010 9:22 PM | Report abuse
Posted by: KeithW2 | December 14, 2010 12:19 AM | Report abuse
Posted by: RickJohnson621 | December 14, 2010 12:38 AM | Report abuse
Posted by: Nymous | December 14, 2010 3:50 AM | Report abuse
Posted by: GaryJean | December 14, 2010 8:49 AM | Report abuse
Posted by: Beckola | December 14, 2010 9:53 AM | Report abuse
Posted by: jim24 | December 14, 2010 11:11 AM | Report abuse
Posted by: jdubyaa | December 14, 2010 3:03 PM | Report abuse
Posted by: Georgetwoner | December 14, 2010 6:18 PM | Report abuse
Posted by: ronpaul4prez | December 16, 2010 6:25 AM | Report abuse