A group of anonymous hackers released a file containing the passwords of more than 200,000 users who had registered to comment on Gawker sites. If someone steals your Gawker login, no big deal. The trouble is that users’ email addresses were published, and a lot of people use the same password for everything—so hackers could potentially get into someone’s email and go from there.
The white hat hackers at Hacker News, a news-based forum for developers, were alarmed by the breach. One wrote:
This is serious. I just checked out the torrent with the text file of the 200,000 cracked passwords. I searched for @me.com account and logged into someone’s apple account. It was possible for me to order stuff via their account. I quickly emailed the guy to let him know to change his password. Gawker needs to take responsibility of this situation and email everyone in their database.
Gawker posted an advisory on all Gawker sites telling users to change their passwords and an FAQ on Lifehacker. But the Hacker News users thought this was insufficient, and soon hackers were suggesting ways to mass-email the users whose information had been published and warn them of the risk. One started to email 50,000 users using SendGrid, another started writing code:
I’m currently writing a little script that parses all the address and emails the owner a heads up. I gotta step out so I won’t have it done for 2-3 hours and I thought I’d post here in case anyone else has that idea (don’t want to flood the victims).
But soon, an update from user dwynings, a Palo Alto entreprenuer:
We’ve got the entire list covered.
UPDATE: More details, via Felix Salmon:
What Gawker didn’t do – but what the good people at Hint did do – is email everybody whose email and password were made public, to inform them of that fact. “In situations like this, time is of the essence, which is why we were surprised & shocked to find that Gawker Media hadn’t taken the initiative to notify you of this privacy breach immediately,” they wrote.
Check out the slideshow of our favorite tweets about Gawker, the attack and hubris here.
ajeffries [at] observer.com | @adrjeffries