Following a security breach at Gawker Media, computer users who have left comments on websites such as Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot are being advised to change their passwords as a matter of priority.
In a statement published on their websites, the media group said:
We understand how important trust is on the internet, and we're deeply sorry for and embarrassed about this breach of security - and of trust. We're working around the clock to ensure our security (and our commenters' account security) moving forward.
If you've registered an account on any Gawker Media web site (that includes Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, io9, or Fleshbot), and you didn't log in using Facebook Connect, then it's best to assume that your username and password were included among the leaked data.
Up to 1.3 million passwords are said to have been stolen from the websites by a hacking group calling itself Gnosis. The grabbed credentials were then posted up on Pirate Bay, allowing others - potentially - to compromise accounts.
Further details about how to proceed are available in their FAQ on the subject. If you've commented on the above list of websites I would recommend that you check out the FAQ as a matter of priority to ensure that your other online accounts are safe.
So, time to learn two important lessons. Never use the same password on multiple websites and - when changing your password like in situations like this - make sure that it's not a dictionary word that is easy for hackers to crack.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
Update: The security breach has been implicated in a widespread Acai Berry spam attack which has hit Twitter users hard, emphasising the need to use different passwords on different websites.
![Have your say - LulzSec: helpful, harmless or hideous? [VOTE NOW]](http://sophosnews.files.wordpress.com/2013/05/lulzsec-poll-thumb.jpg?w=75&h=75&crop=1)
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
![Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]](http://sophosnews.files.wordpress.com/2013/03/cursors-thumb.jpg?w=75&h=75&crop=1)
![Hacked TV channels broadcast zombie apocalypse emergency alert [VIDEO]](http://sophosnews.files.wordpress.com/2013/02/zombie-thumb.jpg?w=75&h=75&crop=1)
They don't use HTTPS for login. If the bad guys could now stand in the middle of all those users now forced to change their passwords in plaintext...
So those using Facebook connect are not affected? Should I change my Facebook password?
Gawker say that if you used Facebook Connect then you're not affected.
However, if you use the same password on your Facebook account as you do on other websites then yes, you should definitely change your Facebook password.
So I guess if I do not, I'm safe. So I guess its safer and easier to use Facebook connect to comment and interact with various websites (like sophos blogs :D)
If you're going to use Facebook Connect, just make sure that you keep your Facebook password secure (and that you don't use that password anywhere else).
And, of course, follow the usual security best practices to protect your PC and online activities.
Which is safer? Google connect/Twitter Connect/Facebook connect? Or is that generally using third party sites (not the site you are interacting with) is safer and easier than registering on individual sites to interact with them?
Much of a muchness. Just make sure that you keep *all* of your passwords secure, make certain that they are unique and non-dictionary words (see the video), and that you follow the usual best practices to secure your computer activities.
This really points out the value of federated identity - let those who are capable of managing identity properly handle it, and take that function away from websites that aren't set up to do it properly.
I understand the "best practice" of choosing unique passwords for each account, but that solution does NOT scale well. Just saying.
~EdT.
You mean cookie snooping like Firesheep?
Also many internet security programs come with password storage programs. For example, Norton Internet Security have identity safe that store passwords.
There are some other highly regarded password managers like KeePass, 1Password, LastPass etc. These can also suggest strong, hard-to-crack passwords if you find it difficult to dream up your own.
We don't recommend folks use their web browser to remember their passwords.
I'm just saying that if you have an Internet Security program, it may have already password manager as one of its feature.
They should really be using bcrypt with 12 rounds for storing passwords. I read somewhere that they used DES.
Another tip is that if you are using a friend's computer, be sure to log out of the site you are using and clear your history and especially your cookie. That way, your friend cannot (accidentily) log into your account.
The feed for comments to this post doesn't work: http://nakedsecurity.sophos.com/2010/12/13/gawker... and all the rest of the feeds redirect to http://feeds.feedburner.com/NakedSecurity which is not what I want.
I gotta say, for a company that tends to be pretty darn flippant about things, I'm actually fairly impressed with how they're handling this. Very open, plausibly regretful and abashed, and seemingly committed to avoiding a repeat of the situation
From their FAQ
11) What are you doing to ensure this doesn't happen in the future?
We're bringing in an independent security firm to improve security across our entire infrastructure. Additionally, we will continue to work with independent auditors to ensure we maintain a reliable level of security, as well as the processes necessary to ensure we maintain a safe environment for our commenters.
http://lifehacker.com/5712785/faq-compromised-com...