Gawker source code and database leaked

Today, technology media giant Gawker, that runs sites including Gizmodo and Lifehacker, has had their source code and databases leaked to a popular torrent website.

Gawker issued in a statement to anyone who has an account on the commenting network that they are advised to change their passwords to prevent unauthorized access to the user's account. After the post by Gawker officials confirming the breach, those who leaked the source code and database also placed an article on Gawker regarding the situation. The goal of the compromiser's post, while at first looking somewhat official, was actually to get out word of just where the compromised information could be downloaded from.

The group, which is known just as Gnosis listed out exactly what was breached.

  • Database dump (1.3+ million rows), including cracked passwords.
  • Source dump
  • Upcoming redesign
  • List of gawker server kernel versions.

In addition to what was listed, several of the staff's Twitter accounts which were linked with Gawker were also compromised. Gawker's response on this has been a fast and action-taking one. Most of the staff has already changed their login information, and they urge commenters to do likewise.

Gnosis had this message to send to the media company:

So, here we are again with a monster release of ownage and data droppage. Previous attacks against the target were mocked, so we came along and raised the bar a little. **** you gawker, hows this for "script kids"? Your empire has been compromised, Your servers, Your database's, Online accounts and source code have all be ripped to shreds! You wanted attention, well guess what, You've got it now!

To everyone who has a Gawker account, to avoid having your account hijacked, it is suggested that you change your passwords now by clicking your username at the top of the page on Gawker, then choosing the "Password" link towards the middle of the page. Gawker simply had this to say on the matter, "We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. "

Update: Voice News says that the attack was after a one line link on a Gawker website to a statement from President Obama calling Wikileaks "deplorable." In addition, the official Gawker twitter account was also compromised, as shown in these screenshots from Voice News;


 

Update #2: If you wish to check and see if your email is on the list of compromised accounts, one person uploaded all of the email addresses hashed in MD5 format. You can check that table for yours by doing the following: Go to http://pajhome.org.uk/crypt/md5/ and type in your email to get the MD5 hash, click "Show Options" on the table, then paste the MD5 has into the field and click "Apply." This procedure will help you know if you own one of the hijacked accounts. 

Report a problem with article
Previous Story

Microsoft Kinect meets the Minority Report thanks to MIT

Next Story

US Air Force bans removable media

63 Comments

Commenting is disabled on this article.

If the passwords are encrypted (as stated by a few here), how is it that thousands of twitter accounts that used the same login/pass as Gawker's system got compromised shortly after?

aarste said,
If the passwords are encrypted (as stated by a few here), how is it that thousands of twitter accounts that used the same login/pass as Gawker's system got compromised shortly after?

Read more than 50% of the comments.

To: Alan Cole.

The compromised emails are in fact not compromised. There is a list of user names, and passwords of Gawker Network users base. The thing here is it also displays theirs actual email address: @me.com, @hotmail.com, @yahoo.com, even @mail.house.gov. There is no compromise here besides the user and password ONLY inside Gawker Network (Lifehacker, Gizmodo, etc).

The only problem would be if you email password is the same as your Gawker's login password.

There are like a lot of passwords using passwords as their password. Also qwerty and qwertyui.

LOL

This is really annoying. I checked the table and it seems that my account is safe, but I'm going to change the password or even close the account.

I don't know why people complain against Anon. Mainly i think it's jealousy. How can you complain about someone defending the freedom of information ? I don't understand why you people reading articles here complain about his work while you all do nothing valuable. I say keep up the good work and there are people that like what you do.

boumboqc said,
I don't know why people complain against Anon.

Because they're dangerous and not in the way you think they are.

They don't protect any freedom of speech, mark my words - the actions of the anon will eventually either destroy anonymity online or allow legislators around the globe to push through never before seen draconian measures to track down and punish people doing it.

Miuku said,

Because they're dangerous and not in the way you think they are.

They don't protect any freedom of speech, mark my words - the actions of the anon will eventually either destroy anonymity online or allow legislators around the globe to push through never before seen draconian measures to track down and punish people doing it.

The only real rule anon go by is to 'do it for the lolz' be it good (finding the cat woman) or bad (taking the P*ss out of disabled kids who just had their xboxes stolen)... they do it for the funnyness of it not to help people, they though ti'd be funny to get that cat woman locked up, sure they have caturday and lolcats etc but they certainly are not people who are trying to be nice for everyone. White knights, black knights, cancer and all things nice, there is part of everyone in anon and its mostly bad.

With that said, I do support freedom they be hold insight. It reminds me of way way back in the early 90's when the internet (read webpages) were first starting to pop up, everything was kinda new and there was little censor ship.

Miuku said,

Because they're dangerous and not in the way you think they are.

I don't know about that, do you trust your bankers or your fellow neighbors more?

boumboqc said,
How can you complain about someone defending the freedom of information ?

Here's a thought: maybe not all information should be free. Like my credit card info, or how to make a nuclear weapon. If they really cared about "freedom of information" then they wouldn't hide their identities. Shouldn't that information be free as well?

These guys are idiots, and the fact that there are people in the world defending them scares me...

Miuku said,

Because they're dangerous and not in the way you think they are.

They don't protect any freedom of speech, mark my words - the actions of the anon will eventually either destroy anonymity online or allow legislators around the globe to push through never before seen draconian measures to track down and punish people doing it.


sagum said,

The only real rule anon go by is to 'do it for the lolz' be it good (finding the cat woman) or bad (taking the P*ss out of disabled kids who just had their xboxes stolen)... they do it for the funnyness of it not to help people, they though ti'd be funny to get that cat woman locked up, sure they have caturday and lolcats etc but they certainly are not people who are trying to be nice for everyone. White knights, black knights, cancer and all things nice, there is part of everyone in anon and its mostly bad.

With that said, I do support freedom they be hold insight. It reminds me of way way back in the early 90's when the internet (read webpages) were first starting to pop up, everything was kinda new and there was little censor ship.

Both of you are sooo wrong. Ever heard about anon's acts on Scientology? Considering what you wrote, I guess not. Anon DOES protect freedom of speech, acting and trolling is merely something like a habit but it does no harm to the goal.

boumboqc said,
I don't know why people complain against Anon. Mainly i think it's jealousy. How can you complain about someone defending the freedom of information ? I don't understand why you people reading articles here complain about his work while you all do nothing valuable. I say keep up the good work and there are people that like what you do.

You really think Anon is nothing but honest, good-natured freedom-of-speech protectors? Wow, did your parents not take the firewall of your computer yet, or what?

JonathanMarston said,

Here's a thought: maybe not all information should be free. Like my credit card info, or how to make a nuclear weapon. If they really cared about "freedom of information" then they wouldn't hide their identities. Shouldn't that information be free as well?

These guys are idiots, and the fact that there are people in the world defending them scares me...

Your credit card number is not "information". It's data. But let's not waste time in poor analogies.
Moreover, yes, how to make a nuclear weapon should be free. Actually, if you spend a week researching through the web and - behold - libraries, you'll probably figure it out. Will you be able to build one and use it? I doubt it.

Lazlo said,

Your credit card number is not "information". It's data. But let's not waste time in poor analogies.
Moreover, yes, how to make a nuclear weapon should be free. Actually, if you spend a week researching through the web and - behold - libraries, you'll probably figure it out. Will you be able to build one and use it? I doubt it.

Can you enlighten me on your arbitrary differentiation between 'data' and 'information'?

Lazlo said,

Your credit card number is not "information". It's data. But let's not waste time in poor analogies.
Moreover, yes, how to make a nuclear weapon should be free. Actually, if you spend a week researching through the web and - behold - libraries, you'll probably figure it out. Will you be able to build one and use it? I doubt it.


what geoken said
and show me in a week in detailed form how to make a nuclear weapon. From the tiniest ingredient.

Ayepecks said,
Never understood why people do **** like this. Grow up and do something with your life.

"**** like this," while morally deplorable, does in fact serve a beneficial purpose. It shows where there are weaknesses in systems, and it forces people to act and fix the weakness. I wish the world worked in such a way that merely telling the vulnerable party that their security is poor would get them to fix it, but all too often, nothing is done with these White Hat notices. Black Hats tend to get faster results, if for nothing more than the PR ****storm that ensues.

Sraf said,

"**** like this," while morally deplorable, does in fact serve a beneficial purpose. It shows where there are weaknesses in systems, and it forces people to act and fix the weakness. I wish the world worked in such a way that merely telling the vulnerable party that their security is poor would get them to fix it, but all too often, nothing is done with these White Hat notices. Black Hats tend to get faster results, if for nothing more than the PR ****storm that ensues.

I'm sure your tune would change if they released something that affected you, like bank information or creditcard details..

Just because you can get the info is no reason to post it all over the net..

It makes them no better than any other "bad" hacker..

Ryoken said,
I'm sure your tune would change if they released something that affected you, like bank information or creditcard details..

Just because you can get the info is no reason to post it all over the net..

It makes them no better than any other "bad" hacker..

I never labeled them as good, I just said that what they do does have positive impact over the long term.

Sraf said,

"**** like this," while morally deplorable, does in fact serve a beneficial purpose. It shows where there are weaknesses in systems, and it forces people to act and fix the weakness. I wish the world worked in such a way that merely telling the vulnerable party that their security is poor would get them to fix it, but all too often, nothing is done with these White Hat notices. Black Hats tend to get faster results, if for nothing more than the PR ****storm that ensues.


Saying "some good" comes out of this is laughable. You can do the same for almost any situation. There's more appropriate means of telling an organization the flaws of their security.

Ayepecks said,

Saying "some good" comes out of this is laughable. You can do the same for almost any situation. There's more appropriate means of telling an organization the flaws of their security.

The trouble is, may organisations couldn't care less about their security, and many would ignore any warnings that they might get if they decide that it's not worth it for whatever reason. Sometimes, something needs to go horribly wrong to bring about positive change. I don't like it, but this is the way that the world works.

After this, you can bet that Gawker is going to step up things like password encryption strength, among other things
After the BP event in the Gulf, you can bet that new laws and regulations and industry standards will be implemented to prevent another disaster of the sort
After XXXX Airplane fault, you can bet that the NTSC, FAA and airline companies will step up and change things (While I don't have a specific event in mind here, the entire airline industry's safety mechanisms and even much airplane design (such as the way the pressure is equalized between the cargo hold and the passenger cabin) are built on the blood of many people.)

I don't like it. I don't have to like it. This does not preclude me from seeing that this is how the world works. If you are like me and don't like it, then push for change in your industry to move security and safety from afterthoughts to forethoughts, from PR bull to actual objectives.

I should also note that you cannot prevent everything that can go wrong. I just wish that many security and safety things weren't so reactionary, that if a serious problem is seen before hand, that it should be fixed, that solutions to unforeseen problems had more thought put into them (I'm looking at you, TSA)

Ayepecks said,

Saying "some good" comes out of this is laughable. You can do the same for almost any situation. There's more appropriate means of telling an organization the flaws of their security.

Unfortunately Sraf is right. Too many people/companies/organizations/governments ignore all warnings and notifications until something bad happens. It's just the way things work unfortunately

Stebet said,

Unfortunately Sraf is right. Too many people/companies/organizations/governments ignore all warnings and notifications until something bad happens. It's just the way things work unfortunately

Yes, but is it right to applaud people for it? If I went to a construction site that I believed was not fully implementing various safety standards, would you commend me for initiating an incident that brought to light the lax safety standards by injuring several workers?

geoken said,

Yes, but is it right to applaud people for it? If I went to a construction site that I believed was not fully implementing various safety standards, would you commend me for initiating an incident that brought to light the lax safety standards by injuring several workers?

If you "did it for the lulz" it would be totally acceptable

bob_c_b said,
Anonymous is so lame, I hope someone finds a way to prosecute some of these d-bags, not likely, but I can hope.

If a Brazilian article (citing the Sunday Times) I read moments ago is true, some 35000 people have download the tool to participate on DDoS attacks... That´s a lot of people spread around the world to catch...

Marcos_Edson said,

If a Brazilian article (citing the Sunday Times) I read moments ago is true, some 35000 people have download the tool to participate on DDoS attacks... That´s a lot of people spread around the world to catch...


This week 75000 downloads.

Marcos_Edson said,

If a Brazilian article (citing the Sunday Times) I read moments ago is true, some 35000 people have download the tool to participate on DDoS attacks... That´s a lot of people spread around the world to catch...

Like I said, not likely, but it would make me happy.

Marcos_Edson said,

If a Brazilian article (citing the Sunday Times) I read moments ago is true, some 35000 people have download the tool to participate on DDoS attacks... That´s a lot of people spread around the world to catch...

Well, if they catch 100 of them, it's very likely that most of those 35000, will give up (specially after it was leaked that the LOIC tool, does not use a proxy and can provide the IP information of those using it)

sviola said,
specially after it was leaked that the LOIC tool, does not use a proxy and can provide the IP information of those using it

Oh, that was a leak? Can't you read source code?
Moreover, I hope you do realize that DoSing through a proxy hurts the proxy more than the target. <.<

I've posted comments on their sites before, but never actually registered a user on their sites. Fortunately, these guys support posting via other accounts.

Also, the passwords were apparently encrypted. While that's not much of a problem if your password is easy to crack via a dictionary attack and possibly a problem if a hacker just want to do it for the lulz, I doubt any hackers will bother trying to brute force a harder password.

blahism said,
Gawker is trash these days.. but not sure what leaking all of this accomplishes

I quite enjoy Kotaku, although I do not have an account as I don't ever plan to comment on articles.

blahism said,
Gawker is trash these days.. but not sure what leaking all of this accomplishes

Agreed. Gizmodo and Kotaku are such idiotic pieces of drivel that I couldn't care less.

Never heard of Gawker and hardly of life hacker its a werid world on the net where a site can accually make the news you have never heard of.

Sylar2010 said,
Never heard of Gawker and hardly of life hacker its a werid world on the net where a site can accually make the news you have never heard of.

Ever heard of Gizmodo? They leaked the iPhone 4 months ahead of release. They are part of Gawker

Sylar2010 said,
Never heard of Gawker and hardly of life hacker its a werid world on the net where a site can accually make the news you have never heard of.

i think its weirder that you've never seen these sites....the fact they're in the news is because ppl use them

Sylar2010 said,
Never heard of Gawker and hardly of life hacker its a werid world on the net where a site can accually make the news you have never heard of.

o_O Seriously?

Sylar2010 said,
Never heard of Gawker and hardly of life hacker its a werid world on the net where a site can accually make the news you have never heard of.

+1 for this

Sylar2010 said,
Never heard of Gawker and hardly of life hacker its a werid world on the net where a site can accually make the news you have never heard of.
I've never heard of that site too. Gizmodo, kinda, but never visit or know about it. Maybe cos of the word "gizmo" I am mixing up with.

Note: Gawker uses security on their passwords. The passwords are encrypted in a one way manner, but I am not sure what algorithm they are using (hope it's not MD5, though it likely isn't). As they have warned, the most likely way for anyone to get your password from these leaked files is to brute force them


Also, the upcoming redesign was not exactly secret. Gizmodo's is at http://beta.gizmodo.com/

Wrong. They were using DES. Very easy to retrieve the plaintext passwords from it, or well, at least the first 8 characters. But that doesn't matter, because all passwords were truncated to 8 characters anyway, so you only needed that to log in.

All passwords have been "decrypted". Some have even been posted on numerous forums and pastebin-like websites, with the corresponding username and email address.

This is how security should NOT be done. I can't believe someone as big as Gawker was doing it so wrong.

noroom said,
Wrong. They were using DES. Very easy to retrieve the plaintext passwords from it, or well, at least the first 8 characters. But that doesn't matter, because all passwords were truncated to 8 characters anyway, so you only needed that to log in.

All passwords have been "decrypted". Some have even been posted on numerous forums and pastebin-like websites, with the corresponding username and email address.

This is how security should NOT be done. I can't believe someone as big as Gawker was doing it so wrong.

Well blow me down, that's no good. Makes me glad that the Password I used there was a "Phase out" password of mine

noroom said,
...
This is how security should NOT be done. I can't believe someone as big as Gawker was doing it so wrong.

One "benefit" of an event like this is that it causes the devs to quickly read up on how to do it properly and implement better security.

Sraf said,
Note: Gawker uses security on their passwords. The passwords are encrypted in a one way manner, but I am not sure what algorithm they are using (hope it's not MD5, though it likely isn't). /

md5 is pretty safe even when it is considered as a de-facto standard way to store password. But it can be defeated using brute force dictionary attack like almost any password around here.

Magallanes said,
md5 is pretty safe even when it is considered as a de-facto standard way to store password. But it can be defeated using brute force dictionary attack like almost any password around here.

Which is why you salt your passwords, preferably with a different salt per user, making rainbow tables pretty much useless...

Sounds like they got all butt hurt about it. They may not be script kids but from the quote alone they still act like one.