Gawker and its ring of blogs, as well as Twitter, were hacked this weekend by a group calling itself” Gnosis.”
Gawker said thousands of its commenter usernames and passwords for its blogs were broken into and Gnosis said its hacking of the network of blogs led it to breach of e-mail address belonging to banks, federal government employees and NASA.
“This weekend we discovered that Gawker Media’s servers were compromised, resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin and Fleshbot,” Gawker said in a post on its Lifehacker blog.”
” We understand how important trust is on the Internet, and we’re deeply sorry for and embarrassed about this breach of security — and of trust. We’re working around-the-clock to ensure our security (and our commenters’ account security) moving forward,” Gawker said.
When the hackers broke into Gawker, they didn’t just steal the email addresses and passwords of its 1.5 million—they posted that list online. That means anyone could have grabbed the list and could now be trying to use it to break into the users’ accounts–not just at Gawker, but anywhere those individuals used the same email address and password for their logins.
Which is why other sites are taking notice, and some are now sending email alerts to some of their users.The Gilt Groupe, for example, has apparently matched the list of email addresses in the Gawker hack with the list of email addresses used by their own users and sent notifications to that subset, recommending they change their passwords on Gilt.
We are contacting you as your Gilt email address matches an email address published in the Gawker list,” the email says. “As many people often use the same password for multiple sites, we strongly suggest that you change your Gilt password as well as do so on other sites where the password you have is the same as your Gawker password.”
The email didn’t describe the consequences of not changing your password. But it isn’t too hard to imagine. A bad actor who’d gotten a hold of the Gawker user list could use it to log into accounts on Gilt, change the password to block out the owner of the account, order a bunch of merchandise using credit card information the account owner stored with Gilt, and have it shipped to an address of the thief’s choosing.
An anonymous source identifying itself as one of the Gnosis hackers told the news blog Mediaite that the group attacked Gawker because of its ” arrogance.”
It took us a few hours to find a way to dump all their source code and a bit longer to find a way into their database,” the source told Mediate.
We have been cracking the database for about 17 hours and have managed to retrieve 273,789 passwords,” the source told the blog. ” If our release schedule wasn’t so tight we could get 500,000-plus. Included in the dump are passwords linked to accounts from NASA, about every .gov domain you could imagine and hundreds from banks. One can only pray that they do not use the same password everywhere.”