It’s been a trying day for Gawker Media which operates a number of popular websites such as LifeHacker, Gizmodo, Kotaku, and Deadspin. This past weekend, hackers managed to seize control of Gawker Media’s entire database including staff conversations, FTP login info, source code, and more importantly, the passwords of both Gawker employees and folks who post on Gawker websites – a potentially troublesome fact given that many people use the same passwords across various website services and that the emails of Gawker commenters were exposed as well. The entire batch of info was subsequently released as a 500MB torrent file, accessible to the public at large on The Pirate Bay (though it has since been removed).
Included in the torrent file are the passwords used by Gawker founder Nick Denton for a slew of online websites, including his Twitter and Google Apps account. The attack was carried out over the past few days by a group calling themselves Gnosis who went after “Gawker because of their outright arrogance.”
Anyone who has logged in to comment on Gawker, Gizmodo, Lifehacker, io9, Fleshbot, Jezebel, Jalopnik, or Kotaku should change their passwords immediately if they haven’t already done so. Also problematic is if users connected their Twitter account to Gawker, in which case users should change their Twitter passwords as well.
Passwords aside, it’s important not to overlook the fact that Gnosis exposed Gawker’s entire and proprietary infrastructure to the public, a point driven home by a Gnosis member in an online interview with geekosystem.
Just to spell it out releasing a sites source code is one of the worst things that could happen – the source that runs the site is now public and this means anyone can view how it works, meaning exploits can be found for the code. What is worse is that with a large code base the site owners cannot simply refactor and change large portions of it, they are stuck and often have no choice but to continue running the public code base until a newer, private version is created which can take a long time. They also have to consider that most of their code, which they worked hard on, is effectively dust-binned. Unless they take the open source route, of course.
Gawker has since explained that they plan to bring in an “independent security firm to improve security across our entire infrastructure.”
Now Denton might ring a bell for a few readers as the Gawker founder was famously outspoken in the wake of the iPhone 4/Gizmodo fiasco from this past April. In interviews following the huge tech scoop, Denton apologized for nothing and explained that he was willing to cross any number of lines if it meant one of his sites would be the first to report a breaking news story.
As of 9am this morning, all of Gawker’s properties were able to publish once again, though Jezebel did provide some comic relief in a tweet earlier on.
“I’d write a post about how we’ve been hacked and can’t publish. But we’ve been hacked and can’t publish.” Nice.
As of this evening, Gawker had sent out approximately 1.5 million emails to Gawker commenters notifying them of the security breach and the importance of changing their passwords.