Gawker Media has implemented a number of changes to tighten security, according to a staff memo posted online on a Poynter Institute blog.
The changes follow a recent hack that compromised user passwords and corporate communications. Gawker did not respond to a request for comment on the memo, but in the message, Gawker CTO Tom Plunkett highlighted a number of moves to strengthen security.
Among them, he wrote, is that the company has now enabled SSL protection for all employees with Gawker Media accounts on Google Apps.
“Also effective immediately: If you require access to sensitive materials (legal, financial, or accounting documents) on Google Docs, you must have two-factor authentication set up on your account,” according to the memo. “No documents will be shared with personal Gmail accounts. We are also strongly encouraging all staff to set up two-factor authorization even if you do not require access to sensitive material.”
During the weekend of Dec. 11, news broke that hackers had successfully compromised Gawker Media servers. The attack exploited a vulnerability in Gawker’s source code, ultimately allowing the intruders to gain access to the editor wiki, some Gawker Media e-mail accounts and other “external resources,” the memo reads.
The attack also leaked passwords for some 1.4 million users of the company’s Websites, which include Deadspin, Gizmodo and Gawker.com, among others. As a result of the attack, some users with identical passwords for their Twitter and Gawker accounts had their Twitter accounts compromised as well, sparking a widespread spam campaign.
“We should not be in the business of collecting and storing personal information, and our objective is to migrate our platform away from any personal data dependencies (like email & password),” according to the memo. “We will push further integration of external account verification sources using OAuth (like Facebook, Twitter, and Google) for those that want to use them, and we’ll also be introducing disposable accounts. … Commenters seeking anonymity will be able to do so confident that when necessary they can simply toss out the account and there will be no connection to the individual.”
The company will also enforce a policy that prohibits sensitive information from being posted to the editor wiki or chat communications, and has established a help desk to address user concerns related to the breach.
“In addition, we have addressed all known vulnerabilities and will continue auditing our system for security flaws, and we have made appropriate changes to administrative accounts to our web and application infrastructure,” the memo reads. “There are many people reviewing our code base, and because of this, we will also reach out to members of the technical community to harness their expertise. This process will continue as we move to an entirely new, hardened web infrastructure.”