Gawker Brute Force Hack Exposes 200,000 User Passwords


Gawker Media said Monday that a hacking group broke into its servers over the weekend, stealing an estimated 1.3 million user names and passwords for more than 200,000 registered users in a brute force attack that subjected victims to a massive Acai berry diet spam campaign on Twitter.

Gawker Media, which oversees publications Gizmodo, Lifehacker, Gawker, Jezebel, io9, Jalopnick, Kotaku, Deadspin and Fleshbot, said Monday that a hacking group, known as Gnosis, stole login credentials for more than 200,000 users, which are now available at ThePirateBay.

The fact that a media company devoted to technology news, including security information, would be hacked, was not lost on Gawker Media.

"We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. And, yes, the irony is not lost on us," Gawker said in a blog post Monday.

While the passwords were encrypted, Gawker warned that the brute force attack might expose simple logins, and urged users to change their credentials as soon as possible.

"You should immediately change the password on your account, and if you used that password on any other Web site, you should change your passwords on all of those accounts as well," Gawker said.

Gawker added that the hack likely affected anyone that registered an account on any Gawker Media site and didn't log in using Facebook Connect.

The attack also affected Gawkers' corporate servers, which gave Gnosis access to Gawker staff account information as well as source code and IM chat logs between employees, according to The Next Web.

Meanwhile, the hack led to a massive campaign soliciting Acai berry diet spam on Twitter. The spam contains an embedded link, which takes users to an advertorial page promoting a "miracle diet," which in turn directs users to a page soliciting a product that uses Acai berries.

According to a Graham Cluley, senior technology consultant at Sophos, the Acai berry spam campaign appears to be posted to accounts whose users relied on the same passwords for both their Gawker and Twitter accounts.

Alex Rothacker, director of security for Application Security's TeamSHATTER said that the attack was facilitated, in part, by aging and unpatched Gawker servers coupled with a lack of strong password policies and dedicated security staff. Rothacker said that it also appeared that Gawker likely failed to invest in activity monitoring technologies.

"I would say that anybody who is out there on the Internet, to be safe, you have to take security very, very seriously," Rothacker said. "That's really the main message here. They need to update their stuff, put a security professional in place and should be monitoring any activities."

 

Next: Attack Underscores Need For Strong Passwords