I think I am going to be checking the dump to ensure my password is not among it…<p>Remember, don’t use the same password across the Internet. Here’s why.<p><i>Edit:</i> It’s there, apparently as a DES hash. …<p><i>Update 2:</i> The first two characters are the hash. So if you use a tool like <a href="https://hash.online-convert.com/des-generator" rel="nofollow">https://hash.online-convert.com/des-generator</a> you are going to put your password in the “Text you want to convert…” box and the first two characters of your hashed password in as the “Salt (optional)”. Then you will see the “Calculated DES Hash” which will be the same as the hashed password from the torrent if you knew or guessed the password correctly.<p>E.g.<p>Your Lifehacker password is “hackern”, but in the torrent, it’s just “8h48GPxmwy.EA”. Just to show the torrent is legit, you go to the website I entered above, enter “hackern” and “8h” as the salt; it will spit back “8h48GPxmwy.EA”.<p><i>Update 3:</i> “OFFER HN”: The most paltry “Offer HN” ever — send me your username or email address and I’ll grep both files for you to see if your password and/or hash is in one of them. My email is contact-at-<HN username>ogan.com
This is <i>serious</i>. I just checked out the torrent with the text file of the 200,000 cracked passwords. I searched for @me.com account and logged into someone's apple account. It was possible for me to order stuff via their account. I quickly emailed the guy to let him know to change his password. Gawker <i>needs</i> to take responsibility of this situation and email everyone in their database.
My credentials were in the pile.<p>So, uh, how come I and everyone else affected don't have an email in our inboxes from Gawker right now, marked as urgent, explaining the situation?<p>Doesn't that seem like the right thing to do?
Looks like it is quite easy to shut off ads on Gawker. They do a simple boolean check to see if you have a "noad" cookie set. Try entering this into the console.<p><pre><code> javascript:document.cookie='noad=true; expires=Thu, 2 Aug 2021 20:47:11 UTC; path=/';
</code></pre>
This shuts everything off, except for one ad at the top.<p>(Put a bookmarklet for this if anyone who wants to try it out: <a href="http://bit.ly/exvive" rel="nofollow">http://bit.ly/exvive</a>)
Has anyone checked if source/ contains the source for their proprietary CMS?<p>From Felix Salmon:<p><i>Most of the value of Gawker Media lies in Hungary—but how much value is there, really? To a large degree that depends on what Denton decides to do with his proprietary technology. Other blogging platforms are worth nine-figure sums—Tumblr just got a valuation of $135 million, while Automattic, the parent of WordPress, turned down a $200 million acquisition offer three years ago, when it was much smaller than it is today, and subsequently raised money at a valuation north of $150 million. I know a lot of people at big media companies who struggle with the limitations of WordPress, and who would pay good money to license an alternative web publishing technology, if it was robust and proven. Big companies are already licensing the NYT’s Press Engine mobile-publishing technology, and it’s rumored that at one point Denton was talking to Bonnie Fuller about licensing his technology to her nascent website, although that never happened.</i><p><a href="http://news.ycombinator.com/item?id=1998642" rel="nofollow">http://news.ycombinator.com/item?id=1998642</a>
I've download the torrent, convenient of them to give an email address with each cracked account.<p>I'm currently writing a little script that parses all the address and emails the owner a heads up. I gotta step out so I won't have it done for 2-3 hours and I thought I'd post here in case anyone else has that idea (don't want to flood the victims).
For anyone who is interested in more details, check out the readme file for how it actually went, atleast a rough sketch of it..<p><a href="http://pastebin.com/cpb7ndV8" rel="nofollow">http://pastebin.com/cpb7ndV8</a>
Random datapoint: My e-mail was one that got hit in this hack. 15 minutes ago my Twitter and Gmail both just locked me out. I was able to set new passwords via mobile verification, but that was pretty spooky and clearly someone is going after the people who got exposed here.
Having seen the pastebin link, these guys use really, really poor password. Only alphanumeric - usually just one of the two - rarely with capitalization, and nothing else.
When will people learn to use bcrypt for their passwords, and on that topic, when will a "security expert" bless it <a href="http://stackoverflow.com/q/3722780/17174" rel="nofollow">http://stackoverflow.com/q/3722780/17174</a>
Does anyone have any information on changing all their account passwords at once? I don't use the same password for any sites, but unimportant sites like blogs, etc. I use fairly similar passwords on.
For a little background information on DES password hashing, check out this assignment from my Computer Security class at UT Austin:<p><a href="http://www.cs.utexas.edu/users/byoung/cs361/crack-assignment.html" rel="nofollow">http://www.cs.utexas.edu/users/byoung/cs361/crack-assignment...</a><p>It gives a little bit of background information on password hashing and salting, and on simple password cracking techniques.
I wonder if there's an option for an ISP to proactively secure these accounts. GMail has phone verification for backup, they could temporarily disable the account of anyone who has a matching password.<p>Odd, I'm sure I had a lifehacker comments account, but my username isn't listed. No complaints though.
I have an io9 account (that's a Gawker site) but my email isn't showing up in a grep of the db dumps. Perhaps this is not the entire database after all? (I didn't use Facebook Connect.)<p>I must admit I'm a bit intrigued as to why mine's not there. Anyone else in this boat?
I'm in there, and I'm grateful to the HN community for showing me how to find out. This is rather alarming...I've passed it on to my newsletter subscribers, Twitter, Facebook, etc.<p>Kind of ironic really, considering the whole secrecy vs non-secrecy debate.
Looks like somebody decided to spam the heck out of Twitter with those compromised passwords. <a href="http://twitter.com/#!/delbius/statuses/14235293116792833" rel="nofollow">http://twitter.com/#!/delbius/statuses/14235293116792833</a>
I'm currently sending emails to the first 50,000 addresses listed in the database dump via SendGrid. I only have 50,000 credits left for this month, but at least that many will get notified.
Does anyone have a list of sites that gawker owns - I have no idea which sites I need to potentially check.<p>EDIT: Nevermind - it seems that resetting your password at gawker.com resets for all of their sites.
This is what mailinator and, failing that, tenminutemail accounts are for. Why people sign up for random sites with their personal emails just to comment on articles is beyond me.
The passwords aren't very important, although I can see why that'd be an issue. But those internal chat logs are going to be a bit of a problem. For Nick Denton, that is.
any chance it's related to this?<p><a href="https://forum.bytemark.co.uk/comments.php?DiscussionID=2701" rel="nofollow">https://forum.bytemark.co.uk/comments.php?DiscussionID=2701</a>
Weird... One of my throwaway accounts appears with a name I know I've never used before. Then again, I had someone sign up for a Facebook account with that email address once too...