Gawker Data Breach Could Lead to Attacks on Government Agencies

BY Hari Sreenivasan  December 12, 2010 at 11:20 PM EDT

200k-patchwork.jpg

Gawker Media, one of the web’s largest publishers, has been hacked. The insides of the multiple websites within their portfolio, their 1.3 million user names, e-mail addresses and passwords, are now splayed all across the Internet for anyone to see. All the data was uploaded to the bit torrent file sharing network late Sunday afternoon, meaning anyone from Dallas to Dbruvnik to Djibouti can have a look.

The PBS NewsHour has learned that a select sub-list of what appear to be e-mail addresses and passwords of employees from federal, state and local government agencies were parsed separately for potential future attacks. They may have been used as part of Operation Payback, or another one of the initiatives launched by the so-called “Anonymous” cyber movement that has grown in scope since the release of secret documents by the web site WikiLeaks.

The fact that the list has now been made public may give government agencies and individuals a chance to change their password information and diminish the damage.

200k-patchwork.jpg200k-patchwork.jpg

The list appears to include a wide range of government agencies from King County in Washington State to mission controllers at NASA to a chief of staff for a member of Congress.

What follows are the instructions attached to the selected government addresses from inside an Anonymous chat room:

“These passwords are from an on going operation outside of (REDACTED) do not distribute outside of (REDACTED). Doing so will only jeopordize the serious lulz fest about to hit the internet in the coming months.

These people more than likely use the same pass everywhere. Try to gain access to the @email STMP using the email/pass combination also google their email address to find other accounts on the inernet they may have and try their password with said accounts.

If the people in this dump have admin/mod rights there maybe other sensitive information worth disclosing to the internet, scrape any and all information you can and dont be XXXXing stupid, these are government officials, use many layers of proxies and report back any lulz to (REDACTED).”

More than 1,958 people on the Gawker list used the word “password” as their password. Several people use the same e-mail addresses, usernames and passwords across multiple social media sites as well their work e-mail accounts. Exploiting these sorts of vulnerabilities is common practice.

Gawker posted a notice on its web site Sunday advising users to change their commenting passwords:

“Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords.”

The focus and target of tonight data’s appears aimed squarely at embarrassing Gawker and its founder Nick Denton. There has been an an on-going online war of egos between members of 4Chan, an anonymous content uploading and collaborative site; the Anonymous group, who have recently begun attacking websites; and Mr. Denton and his staff.

Here are excerpts from a group chat log, which the attackers credit to Gawker employees.

Maureen O. it appears that there is dissent among the 4channers as to whether 4chan’s attack on us means 4chan is pathetic and unscary now.

Brian M. 10 Things 4Chan Users Should Do Rather than Attack Us

Brian M. The headeline of your post should be “Suck on This, 4Chan”

Hamilton N. Nick Denton Says Bring It On 4Chan, Right to My Home Address (After The Jump)

Ryan T. We Are Not Scared of 4chan Here at 210 Elizabeth St NY NY 10012

Maureen O. hey guess what, 4chan has already declared gawker the winner of the 4chan war! we won!

Richard L. VICTORY

Maureen O. they say that this day will go down in history as the day 4chan failed.

Richard L. that’s terrific.

Richard L. they’ve been demoted to 3chan

The dump includes the release of usernames and passwords of the databases that contain their sites, meaning the attackers had access to every piece of information which comprises Gawker’s web sites, from highly valuable advertising statistics to text and images.

Also included was what hackers claimed was an image of a potential future Gawker redesign. Its release would reduce the impact of a new site by taking away much sought after buzz around a relaunch, as well as giving competitors some insight into Gawker’s design choices and direction.

Gawker knows all too well, the impact of taking the wind out of someone’s sails. Gawker’s gadget site Gizmodo famously released images of Apple’s iPhone 4 months before the official launch.

To put as fine a point on the hack as possible, the attackers used the log in of one Gawker’s staff member tonight to post a link to the location where users could download entire database available on bit torrent (a file sharing service)

200k-patchwork.jpg

The author had to go on Twitter to deny the information and inform his followers that the site was indeed hacked.

200k-patchwork.jpg

Anyone who has ever left a comment at anytime across the Gawker network should change their passwords immediately.Gawker Media includes Gawker, Deadspin, Kotaku, Jezebel, Jalopnik, Gizmodo, io9 or Lifehacker. Good rules of thumb for password security are available ironically enough, on the Lifehacker web site.

Follow @hari on Twitter.