A Gawker Media memo outlines changes meant to bolster security in the wake of the recent attack.
Gawker Media has implemented a number of changes to tighten security,
according to a staff memo posted online on a Poynter Institute blog.
The changes follow a recent hack that compromised user passwords and corporate
communications. Gawker did not respond to a request for comment on the memo, but
in the message
, Gawker CTO Tom
Plunkett highlighted a number of moves to strengthen security.
Among them, he wrote, is that the company has now enabled SSL
protection for all employees with Gawker Media accounts on Google Apps.
: If you require access to sensitive materials (legal,
financial, or accounting documents) on Google Docs, you must have two-factor
authentication set up on your account," according to the memo. "No documents
will be shared with personal Gmail accounts. We are also strongly encouraging
all staff to set up two-factor authorization even if you do not require access
to sensitive material."
During the weekend of Dec. 11, news broke that hackers had successfully
compromised Gawker Media servers. The attack exploited a vulnerability in
Gawker's source code, ultimately allowing the intruders to gain access to the
editor wiki, some Gawker Media e-mail accounts and other "external
resources," the memo reads.
The attack also leaked passwords for some 1.4 million users of the
company's Websites, which include Deadspin, Gizmodo and Gawker.com, among
others. As a result of the attack, some users with identical passwords for
their Twitter and Gawker accounts had their Twitter accounts compromised
as well, sparking
a widespread spam campaign.
"We should not be in the business of collecting and storing personal
information, and our objective is to migrate our platform away from any
personal data dependencies (like email & password)," according to the
memo. "We will push further integration of external account verification
sources using OAuth (like Facebook, Twitter, and Google) for those that want to
use them, and we'll also be introducing disposable accounts. ... Commenters
seeking anonymity will be able to do so confident that when necessary they can
simply toss out the account and there will be no connection to the individual."
The company will also enforce a policy that prohibits sensitive information
from being posted to the editor wiki or chat communications, and has
established a help desk to address user concerns related to the breach.
"In addition, we have addressed all known vulnerabilities and will
continue auditing our system for security flaws, and we have made appropriate
changes to administrative accounts to our web and application
infrastructure," the memo reads. "There are many people reviewing our
code base, and because of this, we will also reach out to members of the
technical community to harness their expertise. This process will continue as
we move to an entirely new, hardened web infrastructure."