A mass compromise affecting users of Gawker Media's Websites has spilled over onto Twitter, sparking a spam campaign.
Gawker Media's servers were hit by hackers during the weekend,
exposing the e-mail addresses and passwords of registered users of their
Websites and apparently leading to a spam campaign launched on Twitter.
A group called "Gnosis" has taken credit for the attack and put
the compromised data in a 500MB file. Inside is information on users of a
number of Gawker Media Websites: Lifehacker, Gizmodo, Gawker, io9, Jalopnik,
Kotaku, Jezebel, Fleshbot and Deadspin.
In addition to user passwords, the attackers walked away with usernames and
passwords for Gawker's staff, as well as Gawker's source code and chat logs of
discussions between employees.
"If you've registered an account on any Gawker Media web site ... and you
didn't log in using Facebook Connect, then it's best to assume that your
username and password were included among the leaked data," Gawker stated
in a "Frequently Asked Questions"
post on its Website. "Passwords in our database are encrypted (i.e., not
stored in plain text), but they're still potentially vulnerable to hackers. You
should immediately change the password on your account, and if you used that
password on any other web site, you should change your passwords on all of
those accounts as well."
The company noted that it does not store Twitter or Facebook passwords,
meaning people who log into Gawker sites through them should be
unaffected. That, however, did not turn out to not the case, as many
people share passwords for multiple sites. According to Del
y, head of Twitter's trust and safety team, the password theft
from Gawker appears to have led directly to an attack on Twitter.
Hundreds of thousands of Twitter accounts are believed to have been
compromised to send out spam touting the Acai Berry diet, according
The spam is coming with messages such as: "I lost
9lbs using acai! RT This! [link]." Those who click on the link are taken
to a Web page promoting the diet.
"Not enough computer users have woken up to the danger of using the
same password on different websites," blogged Graham Cluley, senior
technology consultant at Sophos. "Doing that means that if one site gets
hacked (as in the Gawker case) then you might also be handing over the keys to
other websites. Once one password has been compromised, it's only a matter of
time before the fraudsters will be able to gain access to your other accounts
and steal information for financial gain."
In response to the incident, Gawker said it is bringing in an
independent security firm to improve security and will continue to work
with independent auditors to maintain "a reliable level of security."