Gawker Brute Force Hack Exposes 200,000 User Passwords

Gawker Media said Monday that a hacking group broke into its servers over the weekend, stealing an estimated 1.3 million user names and passwords for more than 200,000 registered users in a brute force attack that subjected victims to a massive Acai berry diet spam campaign on Twitter.

Gawker Media, which oversees publications Gizmodo, Lifehacker, Gawker, Jezebel, io9, Jalopnick, Kotaku, Deadspin and Fleshbot, said Monday that a hacking group, known as Gnosis, stole login credentials for more than 200,000 users, which are now available at ThePirateBay.

The fact that a media company devoted to technology news, including security information, would be hacked, was not lost on Gawker Media.

"We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. And, yes, the irony is not lost on us," Gawker said in a blog post Monday.

While the passwords were encrypted, Gawker warned that the brute force attack might expose simple logins, and urged users to change their credentials as soon as possible.

"You should immediately change the password on your account, and if you used that password on any other Web site, you should change your passwords on all of those accounts as well," Gawker said.

Gawker added that the hack likely affected anyone that registered an account on any Gawker Media site and didn't log in using Facebook Connect.

The attack also affected Gawkers' corporate servers, which gave Gnosis access to Gawker staff account information as well as source code and IM chat logs between employees, according to The Next Web.

Meanwhile, the hack led to a massive campaign soliciting Acai berry diet spam on Twitter. The spam contains an embedded link, which takes users to an advertorial page promoting a "miracle diet," which in turn directs users to a page soliciting a product that uses Acai berries.

According to a Graham Cluley, senior technology consultant at Sophos, the Acai berry spam campaign appears to be posted to accounts whose users relied on the same passwords for both their Gawker and Twitter accounts.

Alex Rothacker, director of security for Application Security's TeamSHATTER said that the attack was facilitated, in part, by aging and unpatched Gawker servers coupled with a lack of strong password policies and dedicated security staff. Rothacker said that it also appeared that Gawker likely failed to invest in activity monitoring technologies.

"I would say that anybody who is out there on the Internet, to be safe, you have to take security very, very seriously," Rothacker said. "That's really the main message here. They need to update their stuff, put a security professional in place and should be monitoring any activities."

Next: Attack Underscores Need For Strong Passwords

Cluley said that that attack underscored the necessity of applying strong passwords and applying best practices that include using unique passwords for each account and avoiding dictionary words.

"The key issue here is that too many users (perhaps as many as a third) are still using the same password for every Web site they access," Cluley said in a blog post. "Not enough computer users have woken up to the danger of using the same password on different Web sites. Doing that means that if one site gets hacked (as in the Gawker case) then you might also be handing over the keys to other Web sites.)

Rothacker said that, unlike the high-profile Gawker hack, cyber criminals would likely later use the passwords accessible on ThePirateBay site to launch stealthier attacks for financial gain.

"This one reminds me more of the defacing attacks of the past. What we should really be aware of are the real attacks where people do hacking for financial gain," he said. "I would think that as soon as these guy are in there, and they start getting passwords for accounts, they have pretty open access. They will just do whatever they want to do."