The FBI is looking into the recent hack of Gawker Media that exposed password information and e-mail addresses belonging to users, according to reports.
A group known as “Gnosis” has taken credit for the attack, and put the data it swiped into a file that was initially available via The Pirate Bay.
Rumors of the hack began to circulate Dec. 11, and Gawker confirmed them with a warning a day later. According to the company, the breach impacted users of several sites, including users of Gizmodo, Gawker and Deadspin. In addition, the attackers made off with user names and passwords for Gawker’s staff, as well as Gawker’s source code and chat logs of discussions between employees.
The password information was encrypted, but was still vulnerable to being cracked-a fact underscored by the subsequent compromise of Twitter accounts belonging to some users. Many of those passwords were simplistic-an analysis by Duo Security found the most common passwords were “123456″ and “password.”
There are so many Websites that ask users to create a password that it is impossible to keep track of them all, said Richard Stiennon, chief research analyst at IT-Harvest. People treat many of these sites as inconsequential, and therefore don’t bother to create strong passwords they will immediately forget, he added, something that is fine for a media site such as Gawker, but more problematic for things such as e-mail or Facebook accounts.
“(The) No. 1 best practice is never use a word that can be found in the dictionary,” he said. “A simple way to create a hard-to-guess password is to use the first letter of each word in a phrase. -When IT Rains it Pours’ becomes WIRIP. Add a number to make it eight characters long – WIRIP421. Change the “I” to “!” and you have a pretty strong password you can remember: W!R!P421. Do that for sites you pay for and ones that are important to you.”
In a “Frequently Asked Questions” posted in response to the incident, Gawker advised users to reset their passwords. In addition, the company said it is bringing in an independent security firm to improve its infrastructure security.