Gawker Media’s servers were hit by hackers during the weekend, exposing the e-mail addresses and passwords of registered users of their Websites and apparently leading to a spam campaign launched on Twitter.
A group called “Gnosis” has taken credit for the attack and put the compromised data in a 500MB file. Inside is information on users of a number of Gawker Media Websites: Lifehacker, Gizmodo, Gawker, io9, Jalopnik, Kotaku, Jezebel, Fleshbot and Deadspin.
In addition to user passwords, the attackers walked away with usernames and passwords for Gawker’s staff, as well as Gawker’s source code and chat logs of discussions between employees.
“If you’ve registered an account on any Gawker Media web site … and you didn’t log in using Facebook Connect, then it’s best to assume that your username and password were included among the leaked data,” Gawker stated in a “Frequently Asked Questions” post on its Website. “Passwords in our database are encrypted (i.e., not stored in plain text), but they’re still potentially vulnerable to hackers. You should immediately change the password on your account, and if you used that password on any other web site, you should change your passwords on all of those accounts as well.”
The company noted that it does not store Twitter or Facebook passwords, meaning people who log into Gawker sites through them should be unaffected. That, however, did not turn out to not the case, as many people share passwords for multiple sites. According to Del Harvey, head of Twitter’s trust and safety team, the password theft from Gawker appears to have led directly to an attack on Twitter.
Hundreds of thousands of Twitter accounts are believed to have been compromised to send out spam touting the Acai Berry diet, according to Sophos. The spam is coming with messages such as: “I lost 9lbs using acai! RT This! [link].” Those who click on the link are taken to a Web page promoting the diet.
“Not enough computer users have woken up to the danger of using the same password on different websites,” blogged Graham Cluley, senior technology consultant at Sophos. “Doing that means that if one site gets hacked (as in the Gawker case) then you might also be handing over the keys to other websites. Once one password has been compromised, it’s only a matter of time before the fraudsters will be able to gain access to your other accounts and steal information for financial gain.”
In response to the incident, Gawker said it is bringing in an independent security firm to improve security and will continue to work with independent auditors to maintain “a reliable level of security.”