Monday, December 13, 2010

Gawker compromised -- users registered with email address have their passwords in the open.

Gawker (Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, Fleshbot) was compromised, exposing the entire database of people who used an email address to register with any of Gawker's sites. Those who accessed it via Facebook apparently aren't exposed, as their passwords aren't saved on Gawker's servers.

You can read about it directly here, and more obtusely being reported here, here and here.

Those who were exposed need to immediately log in and change their passwords, then go through the list of other sites that they've used the same email address and password, and change the passwords on those sites, ASAP. The reason why people need to do this immediately, is because the compromised data is on Pirate Bay as a torrent, and last I checked, with over 450 seeds, and probably thousands of people downloading it.

What is shocking, is that over 680 people used "qwerty" or a combination of that with other letters and numbers in their passwords, and another 1950+ people used "password" as their password, which just boggles the mind that people would do that. I'm guessing site administrators need to add a few lines of code to reject anyone that attempts to register with a password of "password" or "qwerty", or the also ubiquitous "1234567890".

Some extra tidbits: not everyone's passwords have been decrypted (though there is no security in that, since obviously, it wouldn't take very long to decrypt them), but everyone's user name is exposed. Also, not everyone has their email address showing up in the database released, including mine...nonetheless, I changed my password. Which goes into my next point: always use separate email addresses to separate functions (I have five email addresses).

Also note, for some STUPID reason, some people used their work email address in the military and governemnt, and were separately culled and parsed, perhaps as a backdoor method for cyber attacks on the US military and local governments. From Tennessee to Kentucky state governments, NASA, Albuquerque NM city government, even the Bay Area Rapid Transit, and for goodness sakes, the Israeli government and the Department of Homeland Security?!? WTF? Australian government, Arlington Texas city government, Virginia state government, the Centers for Disease Control, National Institute of Health, Health and Human Services, the US Department of Education, Utah, California...the list is just astounding.

Let me be clear: DON'T EVER USE YOUR WORK EMAIL ADDRESS, ESPECIALLY IF YOU'RE WORKING FOR A GOVERNMENT, AND SPECIFICALLY IF YOU HAVE ACCESS TO SENSITIVE DOCUMENTS! HOW CAN YOU BE SO STUPID?

Sigh...no wonder some stupid Private was able to get his hands on a treasure trove of sensitive data. We're all doomed...doomed I tell you!

No comments: