»» Columnists

Oh, Sure, NOW You Tell Us: Gawker Apology Email To Users Goes Out Two Days Later

by Rachel Sklar | 2:29 pm, December 14th, 2010

» 21 comments

I am annoyed with Gawker. I have had other things to do over the past few days besides going to various sites on the Internet and resetting my stupid passwords. Because, you see, I’m one of the people whose email and password information was revealed in the Gawker hack. I had a busy weekend so I found out about the Gawker hack the old-fashioned way: via Twitter, off the numerous early stories from Mediaite. It wasn’t until 1 am on Monday morning, however, that I turned my attention to getting up to speed. Then I read this sentence: “You should change your Gawker password and on any other sites on which you’ve used the same passwords.”

What. The. Eff. I suspect I am like most people on the Internet in that I sign up for all sorts of sites and frequently use the same passwords. As it happens, I have a few stock passwords, including the one published in the Gawker hack. I’ve since changed all important passwords (i.e. email, Facebook, Foursquare, Twitter, Flickr, anything connected to credit cards) and have been randomly hitting websites I once used to see what digital detritus I might have left behind. (A happy moment: I confirmed that I did NOT ever sign up for Match.com.) Yesterday, 4 friends emailed me to let me know they’d found my password easily in the Gawker dump; no doubt others have too. Nothing seems amiss but yeah, this has been an annoying waste of my time, with a dash of nervousness about anything I might have forgotten.

Which is why I was especially annoyed to get this email, last night, at 8:59 p.m. “Gawker Comment Accounts Compromised — Important.” Oh really? Important enough to send TWO EFFING DAYS LATER? Because as far as I can tell Gawker was aware that things were amiss on Saturday, and aware that things were really amiss on Sunday, early on. And while no doubt sending an email to your entire database is cumbersome, SO IS CHANGING EVERY SINGLE ONE OF YOUR GODDAMN PASSWORDS ONLINE.

Oh and I loved this too: “We’re also committed to communicating openly and frequently with you to make sure you understand what has happened, how it may or may not affect you, and what we’re doing to fix things.” Yay! I feel so communicated to! Let’s say I was one of those people who *don’t* live on the Internet, who maybe have other, offline lives, as I pretended to this weekend — what of them and their passwords? What about people who were relying on the anonymity that Gawker’s system allows, and purported to protect? Let’s say they were the 123456 types? Fine, it’s a silly password but is that punishable by having it published? It’s not, obviously. Neither is naming way too many online passwords after your law-school boyfriend. (Fine, I get it, proper names are bad passwords. In my defense, I’ve dated a Courtland and a Gawain.) But all of that is beside the point. The point is, this was Gawker’s breach and Gawker’s users whose trust and security was compromised. Gawker should have moved MUCH faster to close this loop.

The way-late email is below. And below that, “Wicked Little Town” and “Midnight Radio” from Hedwig & The Angry Inch, because I want to restore my happy associations with the word “Gnosis.” It’s okay, Gawker, you’re still shining like the brightest star – just next time, lift up your hands a little faster to get our attention. If you’ve got some sugar for me, Sugar Daddy bring it home. Okay I’m done now. Ladies and Gentlemen, Hedwig!

**Update: The “two days” metric is based on the breach being made public via the Gizmodo tweets on Saturday afternoon, per Joe Coscarelli.

———- Forwarded message ———-
From: Gawker Media <help@gawker.com>
Date: Mon, Dec 13, 2010 at 8:59 PM
Subject: Gawker Comment Accounts Compromised — Important

This weekend we discovered that Gawker Media’s servers were compromised,
resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel,
io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name
and password associated with your comment account were released on the
internet. If you’re a commenter on any of our sites, you probably have
several questions.

We understand how important trust is on the internet, and we’re deeply
sorry for and embarrassed about this breach of security. Right now we
are working around the clock to improve security moving forward. We’re
also committed to communicating openly and frequently with you to make
sure you understand what has happened, how it may or may not affect you,
and what we’re doing to fix things.

This is what you should do immediately: Try to change your password in
the Gawker Media Commenting System. If you used your Gawker Media
password on any other web site, you should change the password on those
sites as well, particularly if you used the same username or email with
that site. To be safe, however, you should change the password on those
accounts whether or not you were using the same username.

We’re continually updating an FAQ (http://lifehac.kr/eUBjVf) with more
information and will continue to do so in the coming days and weeks.

Gawker Media

Wicked Little Town

Midnight Radio

Related:
Gawker Hacked [Mediaite]

Atticus Draco

Oh, Sure, NOW You Tell Us: Gawker Apology Email To Users Goes Out Two Days Later

WOW!
That’s so “Obama” of ‘em to do!!
Atticus Draco

‘
Gawker oughtta have TMZ come to the podium and iron all out for ‘em!
Jon Bershad

Before clicking on this post, it took me a solid 5 seconds to figure out the connection between this story and Michael Pitt in Hedwig.
http://twitter.com/CRZ CRZ

Call me old-fashioned, but if you’re gonna type out “GODDAMN” without a blink, you might as well just say fucking instead of “effing.”

(I wonder if this comment will get filtered!)
http://twitter.com/CRZ CRZ

(NOT filtered, but they DID take out my italic tags. Back to capital letters for emphasis – now THAT’S *old school!*)
Rescuedog

Yeah, why have bold and italic tags been disabled in comments? It’s stupid.
KiKi

You lay down with dogs, you get up with fleas.
Maybe you need ‘better friends’.
http://www.squidoo.com/lauriebethsgrotto Laurie Beth

If you’re not sure if your password was revealed in the Gawker dump, find out here: http://www.didigetgawkered.com
sdghjrk

★★★★★★ ==== http://yep.it/fyphgj ====★★★★★★

╭⌒╭⌒ ★ ╮╭⌒╮～╭⌒
☆ ╭⌒╮ ╭★⌒★★★★★★
★∴ ☆ ☆☆☆☆☆☆★☆☆☆
╭⌒╮⌒╮★∵╭⌒ ★∴★ ☆
╱◥██◣ ☆★★★★★★ ==== http://yep.it/fyphgj ====★★★★★★
｜田｜田田│ ☆ ★★★★★★★
╬╬╬╬╬╬╬╬╬╬╬☆ ★★★★★★
★★★★★★ ==== http://yep.it/fyphgj ====★★★★★★
★★★★★★ ==== http://yep.it/fyphgj ====★★★★★★
★★★★★★ ==== http://yep.it/fyphgj ====★★★★★★
★★★★★★ ==== http://yep.it/fyphgj ====★★★★★★
Magister

@Rachel: Believe me, I feel your pain.

Thankfully the various utilities showed that unlike you, the passwords for both my main commenting account and my alternative were released in encrypted form — perhaps a benefit of not being as high-profile as yourself and using “fake names” — so I was just in a race against time, but the clock hadn’t run out. Of course what made it doubly troubling is that I rarely use my alternative, so I only knew that its password was one of three, which meant that I had change another two sets of passwords to be sure.

As to the idea of slow communications, I have to give them something of a pass on the email alerts because they didn’t have a database in place to email so many people. Of course the folks at hint.io did beat my official Gawker alert by several hours, but they didn’t have the distraction of a security breakdown and I assume they were trying to make a name for themselves in advance of coming out of beta, so they were motivated to concentrate on providing the singular service.

Otherwise on the overall subject of alerts and communications, I commented in the long Nick Denton apology thread on #crosstalk that if such a situation were to arise again, perhaps they should appoint or anoint a trusted third-party as a communication conduit. I singled-out Colby’s work here on Mediaite as a place folks were turning and suggested theAwl as another possible route, but though I didn’t mention it in my comment, if for competitive reasons they didn’t want to boost traffic to another blog, they could’ve at least said something official to the NYTimes.

Initially on Sunday afternoon, there seemed to be some confusion as to whether we’d be giving both our old and new passwords to the hackers because the “change your passwords” post didn’t precede the one showing pwnage, by much. There was some reassurance from the fact that the torrent link was quickly taken down and the password post remained, but with so many Gawker writers saying they were locked out of the CMS, it wasn’t until Colby’s interview with the hackers that I felt comfortable.

Several people have wondered over the past couple of days, whether Gawker would’ve assumed the Mediaite role, if the situation was reversed. I honestly don’t know and Colby was mostly talking to the hackers, so it was their communication that he was channeling, but if there’s any lesson for the larger blogosphere, I’d say that if such a massive breakdown were to reoccur, emails would be nice and it wouldn’t hurt to have a database at the ready, but a trusted third-party should be considered.
Magister

ETA: Perhaps a trusted third-party shouldn’t only be considered, but also encouraged.

After all, my provider had marked both the Gawker and hint.io emails as spam, so I had to look for them and without verification from an outside party, since the hackers had access to both the database and the CMS, something official from a non-hacked site would’ve been reassuring.
jhkjhnbhgj

======（（（h t tp://www.betterwholesaler.us ））））===========
handbag $33

AF tank woman $17

puma slipper woman $30

90X Extreme Fitness System ONLY ONLY 42$$$$$$$
dsfzsdfdsf

ONLINE STORE—“ ==== http://path.to/cf36958bb7/ ====

Christan Audigier bikini $23

Ed Hardy Bikini $23

Smful short_t-shirt_woman $15

ed hardy short_tank_woman $16

Sandal $32

christian louboutin $80

Sunglass $15

COACH_Necklace $27

handbag $33

AF tank woman $17
dddddd
puma slipper woman $30

=== http://path.to/cf36958bb7/ ==
—– ~ ¤ ╭⌒╮ ╭⌒╮
╭⌒╭⌒╮╭⌒╮～╭⌒╮ HANDBAG 35$
,））））,”）~~ ,”~）
╱◥█◣ ╱◥█◣ SHOES 35$
｜田｜田｜｜田｜田｜ CLOTH 15$
╬╬╬╬╬╬╬╬╬╬╬╬╬╬ 2010 NEW=
dsfzsdfdsf

ONLINE STORE—“ ==== http://path.to/cf36958bb7/ ====

Christan Audigier bikini $23

Ed Hardy Bikini $23

Smful short_t-shirt_woman $15

ed hardy short_tank_woman $16

Sandal $32

christian louboutin $80

Sunglass $15

COACH_Necklace $27

handbag $33

AF tank woman $17
dddddd
puma slipper woman $30

=== http://path.to/cf36958bb7/ ==
—– ~ ¤ ╭⌒ds╮d ╭⌒╮
╭⌒╭⌒╮╭⌒╮～╭⌒╮ HANDBAG 35$
,））））,”）~~ ,”~）
╱◥█◣ ╱◥█sd◣ SHOES 35$
｜田｜田｜｜田｜田｜ CLOTH 15$
╬╬╬╬╬╬╬╬╬╬╬╬╬╬ 2010 NEW=
Magister

Rescuedog said:
Yeah, why have bold and italic tags been disabled in comments? It’s stupid.

I assume it’s because a commenter abused the bold tag, so we were all punished.
sdhrtjhrt

http://tie.ly/_ecemk
http://tie.ly/_ecemk
http://tie.ly/_ecemk
http://tie.ly/_ecemk
http://tie.ly/_ecemk
Rachel Sklar

@Magister – really smart comment all around, especially the stuff about the 3rd party.
Magister

@Rachel: Thanks.

In my mind, what sets this apart from the recent McDonalds and Walgreens hacking is that their websites weren’t infiltrated and their CMS remained under their control.

Clearly, once the “DERP” post went up, Gawker was no longer in control of the system, so I followed bunches of links from Twitter and Google News, but all were referencing or quoting from the “change password” post and there was no statement from anyone within Gawker that the notice was real or that they had successfully locked-down the site.

In an extreme case like this, which affected so many people, a statement to a third-party would seem to be a good choice, even if it had been nothing more than a simple verification and an all-clear.
—-

BTW: I gather from the fact that Colby’s Gawker posts dominate the “most popular” sidebar that you’re aware that in all of the #crosstalk, #groupthink and similar hashtags, where the users gathered during the raid, multiple people were linking to Mediaite as the go-to source.

I don’t know why Gnosis chose Colby, but I do have to say well done.
Magister

BTW: I should add because I mentioned the hashtag gatherings that not only were there several obvious imposters providing entertainment, there was also at least one person handing out stars and that continued well after the pwnage post was deleted, which helped add to the confusion and why I feel a 3rd-party statement may have been in order.

Of course this is the first time that something like this has happened, especially on such a massive scale, so it’s all just a learning experience that will be informative in the future. For example Rachel’s OP calls out Gawker for the delay in email notification, so I assume that in the wake of this breach, Mediaite has been putting together a mailing list of all its users. ;)
Vegoia

Rachel, can you explain what you mean by the passwords were found by people in the “Gawker Dump”. I had no idea that they were made public in anyway. Thanks for some Michael Pitt too..
Magister

Vegoia said:
Rachel, can you explain what you mean by the passwords were found by people in the “Gawker Dump”. I had no idea that they were made public in anyway. Thanks for some Michael Pitt too..

I’m not Rachel, but the database of usernames, passwords and email addresses were posted as a torrent and tons of people downloaded them. Most of the passwords were still encrypted in the initial dump and only those using dictionary words and super-easy, common passwords were decrypted originally, as were those belonging to some high-profiles, but everyone else’s passwords would likely become decrypted as time goes by, though the very hardest may take a couple of weeks.

As I stated in my earlier comment, the various utilities showed mine as still being encrypted in the initial dump, but after reading the above post, I ran Rachel’s username through the Slate utility and it came back that her’s wasn’t so lucky and was likely known from day one.

Also, I should add that I believe it came from some of Colby’s reporting, but I believe the hackers actually stopped downloading the password file after they had gotten between 1.3 and 1.5 million. So, not everyone’s was released.