Gawker Media Admits Massive Hack of Private User Information (UPDATED)
Yesterday, we cataloged a series of strange tweets from Gawker Media' tech site Gizmodo, claiming to be from the amorphous, loosely 4chan-affiliated hacker group Anonymous. In the messages, the hacker claimed to have stolen 1.5 million email addresses and passwords from three Gawker Media sites including the flagship, Gizmodo and Lifehacker. The mystery tweeter also demanded support for WikiLeaks. Minutes later, the messages were deleted, the account password changed and the "hack" laughed off by Gizmodo. Scott Kidder, Gawker Media's director of editorial operations, insisted that there was "no evidence to suggest any Gawker user accounts were compromised, and passwords encrypted / not stored in plain text anyway." Today, the alleged hacker is back and threatening to spill the stolen information. Now, Gawker is confirming the hack, though the original evidence provided still seems questionable.
[UPDATE: 12/12/2010, 5:07 p.m.: It's all happening.]
This morning, someone claiming responsibility for the invasion emailed The Next Web:
It has come to our attention that you are reporting about gawker.com being hacked by Anonymous and Operation payback in the war against the wikileaks drama that is currently taking place. While we feel for Wikileaks plight, and encourage everyone to donate and mirror the site, we are not related to Operation Payback or engaged in their activities. We have compromised all their email accounts and databases, and a significant portion of the passwords have been unhashed into plaintext.
To prove the validity of our claims, here is a sample of the database: [redacted]
As proof, the supposed hacker included a screenshot of Gawker's internal chat system:
Oddly, the picture provided is from July 22, judging by the link to a New York magazine Daily Intel story about bed bugs. Additionally, the conversation is taking place at 11:45 a.m. between Gawker's weekday writers, who are clearly not referencing yesterday's hack, which occurred later in the afternoon and during the weekend shift of Jeff Neumann and Adrien Chen, neither of whom appear in the conversation. Additional proof from the hacker is in the form of Quantcast pageview information, which anyone with a Quantcast account can access. Gawker has repeatedly been the target of 4chan attacks and here at Runnin' Scared, we covered one back in July, presumably the day before the above chat. It's not that the above chat transcript is faked, it's that it is old and not in reference to this most recent hack.
Someone claiming to be the hacker also contacted Mediaite, sharing the same information and screenshots, in addition to threatening the leak of "the private user data" at 4 p.m. EST.
Mediaite's Colby Hall also obtained a statement from Gawker confirming the hack:
Our user databases do indeed appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change the password on Gawker (GED/commenting system) and on any other sites on which you've used the same passwords. Out of an abundance of caution, you should also change your company email password and any passwords that may have appeared in your email messages. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. And, yes, the irony is not lost on us. Lifehacker has tips on how to create strong passwords: http://lifehac.kr/h7jgzQ
Now, Gawker Media and its users must wait and see if the information indeed comes out. Judging by the above response, the Gawker tech brass believes the threat. The commenter community, long an invaluable asset to the Gawker websites' successes, may in minutes devolve into relative internet chaos. Updates as they come.
UPDATE: The "Management of Gawker Media" has published a post urging all commenters to change their passwords. The odds of 100% of Gawker commenters on all of their sites seeing this and complying are minuscule. Call it a band-aid? Now is probably a good time to say goodbye to the current iteration of your gold star:
Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you've used the same passwords.
We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. And, yes, the irony is not lost on us. For tips on creating strong passwords, see this post on Lifehacker.
To change your password on Gawker, click your username at the top of the page and choose the "Password" link towards the middle of the next page.