In the modern media equivalent of a Greek myth, the Gawker empire was hit hard over the weekend when it was revealed that a hacker group had infiltrated its commenter database via a vulnerability in its source code, exposing the user names and encrypted passwords for over 1.3 million commenters. To further drive the moral of this story home, the group, which goes by the name Gnosis, pulled a dictionary attack and unencrypted about 188K of the easiest ones like “password” or “qwerty” releasing the whole database and source code package in a torrent on Pirate Bay.
Apparently the Gawker data breach was no secret on the Internet (reports had been circulating for about a month) and people offered Gnosis money for the Gawker database before the release. According to a Gnosis representative who gave details to TechCrunch, the group received several offers all in the vicinity of 2K, mostly from spammers and re-salers, “certainly not for good.”
Already Internet nogoodniks are taking advantage of the exploit. A hack-related Twitter attack on Sunday forced users to tweet about the Acai berry diet. TechCrunch Senior Editor Erick Shoenfeld fell prey to what looks like the second iteration of the Acai attack this morning. The New York Post reports that one woman had her entire life “turned upside down“ when her social media accounts were taken over and used to post anti-Semitic messages. Behemoths LinkedIn, Yahoo and World Of Warcraft have all taken measures to protect against further attacks.
Because many people use the same password across multiple sites, this spammer’s delight is going to get worse before it gets better. Especially if the attacks spread from social media to financial services. It’s time to get an entirely new password if you’ve ever commented on Gawker, for everything, even if your password (like both of mine) is still encrypted in the full_db.txt file. You can check if your information has been exposed here.
Damnit. Can't remember all my new passwords.—
Peter Kafka (@pkafka) December 14, 2010
When asked why they didn’t accept any of the offers, our Gnosis source replied, “We didn’t sell because we thought that would be too far. It’s one thing finding out that your database was leaked, and its another to find out that it was sold. We are not heartless, we know the implications for selling it, even though a minority of the group wanted to sell it.”
While the Gnosis representative admitted that there are lot of interesting things that can be done with a hacked database, the more serious issue here is the public availability of the PHP source code which leaves open the possibility of further exploits, “Just say if Gawker recovers fully, and all is well, six months down the line some Eastern European hackers jump in and do the whole thing again, because they had access to the source and found a way to exploit it.”
In a comment explaining the breach Gawker founder Nick Denton, who reportedly has a meeting with the FBI today, hinted at hiring an independent security firm to improve security. Not enough says the Gnosis rep, who holds that all the sites’ API keys and cookies are in still in the source code and that while difficult, those with nefarious intent can still impersonate Gawker users, “I would bite the bullet and release all the source code if I were them officially, and go ‘open source.'”
Denton, who is in the unenviable position of being the busiest person in the world at the moment, did not reply to my questions about the measures being taken to further protect users and the ethical implications of such a large breach. He only responded with this link to show that Gawker site traffic hadn’t fallen since the release, when asked about that in an addendum to my first email.