Act now to minimize the damage to users from Gawker hack

Weekend attack on Gawker.com and sister websites, including Lifehacker and Gizmodo, may have exposed your users. Here's what to do -- now

If you've made it past your first cup of coffee this morning, you know the basics. A previously unknown group (individual?) calling itself Gnosis hacked the Gawker.com site and server, stealing an amazing volume of information and posting the booty as a torrent, indexed on The Pirate Bay. The info came from Gawker Media Network -- which is to say, Gawker.com, Lifehacker, Gizmodo, Jezebel, io9, Jalopnik, Kotaku, Deadspin and Fleshbot.com -- and includes information about roughly 1.3 million accounts -- everyone who has a username on any of those sites. Each account entry includes the username, the user's email address, and a Triple-DES-encrypted hash of the account's password.

There was plenty of additional information stuffed into the torrent -- the entire custom source code of the sites, internal emails, Gawker employees' user names and passwords on other sites, FTP log-on information for other sites, and a smorgasbord of miscellany that should have every out-facing website admin blanching. There are comprehensive details about the attack, who did it, why they did it, and the abysmal response from Gawker, in Daniel Kennedy's Forbes blog.

But the key story you need to get to your users is, if they've ever posted anything on any Gawker Media site, their username and an encrypted version of their password is probably out in the wild, linked to their email address. Many people are rapidly chipping away at the encrypted passwords, and it's only a matter of time before the details on most accounts are public knowledge.

Duo Security, a company that makes authentication software, has been busy running a hash cracker known as John the Ripper against those 1.3 million passwords. At the time of their last note, they had deciphered more than half of the passwords.

Here's what that means for your users.

If your users have accounts on any of the Gawker Media websites, they should assume that any bad guy worth his salt has now figured out their usernames, email addresses, and passwords. They should assume that said bad guys are busy trying the combination on myriad sites, to see if they can get in.

So, for example, if your users have email accounts on Gmail, and those accounts use the same passwords as the ones stored on, say, Gawker.com, their Gmail accounts will be cracked momentarily, if they haven't been already. If they use the same usernames on Lifehacker.com and on BankofAmerica.com, and the passwords match on both sites, their bank accounts may have already gone up in smoke. If they use the same passwords on PayPal and Gizmodo, and the email addresses match -- PayPal uses an email address as a username -- PayPal may have already paid, uh, somebody else's pal.

You've always known that you shouldn't use the same password on two different websites. Now you can show your users why.

What to do?

For starters, I wouldn't follow the advice given on the Lifehacker site, to wit: "You should immediately change the password on your [Lifehacker] account." Quite the contrary. I wouldn't log on to any Gawker Media site for weeks or months, for any reason. The folks in charge have demonstrated rather conclusively that they don't know how to lock down a site. Why would you trust them now?

Don't bother trying to delete your Gawker Media account. You can't. The cow's out of the barn, folks. Time for damage control.

If your users aren't sure whether they had an account on any Gawker Media site, they should take a moment right now to run one of the checkers. The one I prefer is from Duo Security, although there are many similar alternatives. Users simply type their email address into the indicated box and press Enter. The site responds with a simple Yes -- the email address is among the 1.3 million leaked -- or No.

(It's possible that Duo Security could be harvesting email addresses from their checker Web page. I call that the lesser of two evils.)

If the checker comes up Yes -- the user's Gawker Media username, email address, and password have been compromised -- it's time to call out the cavalry. Unless users have been religious in using different passwords on different sites, they should move quickly to change the passwords on every potentially problematic website where they have accounts -- every one. After the passwords have been changed, they should go back through every site and see if there have been any unexpected activity -- admittedly, not an easy exercise.

Ready for your second cup of coffee? I wouldn't wait that long. Get your users checking now.

This article, "Act now to minimize the damage to users from Gawker hack," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Copyright © 2010 IDG Communications, Inc.

How to choose a low-code development platform