Yesterday Gawker Media denied reports that their database of 1.5 Million usernames, emails and passwords had been hacked. Comments broadcast via the apparently compromised Twitter feed of Gawker Media’s tech and gadget site Gizmodo strongly suggested a security compromise. Gawker Editorial Director Scott Kidder claimed through his own Twitter feed that “No evidence to suggest any Gawker Media’s user accounts were compromised, and passwords encrypted anyway.” Mediaite can now confirm that the Gawker’s database has been compromised at least to some degree. Evidence delivered from an anonymous source claiming responsibility for the security breach, also claims that a complete sharing of the private user data will be shared later today at 9PM GMT (4pm EST.) Update #2 – Data has been shared and Gawker’s CMS as been hacked as well.
Originally reported by Joe Coscarelli at The Village Voice, an apparently hacked Gizmodo Twitter account announced support for WikiLeaks, but also announced the following message “Gawker.com Gizmodo.com Lifehacker.com hacked, 1.5 Million usernames/emails/passwords taken:
This morning, Matt Brian reported on the alleged security breach for TheNextWeb:
From the information we have been provided, it appears that some of the base infrastructure of the Gawker Media organization has landed in the hands of people completely unrelated to the site or business itself. Though we were initially under the impression that it was the 4chan-founded group of Anonymous we have since been told, via email, that the responsible party has no affiliation with Anonymous or others. In fact, here’s what we’ve seen, in whole:
It has come to our attention that you are reporting about gawker.com being hacked by Anonymous and Operation payback in the war against the wikileaks drama that is currently taking place. While we feel for Wikileaks plight, and encourage everyone to donate and mirror the site, we are not related to Operation Payback or engaged in their activities. We have compromised all their email accounts and databases, and a significant portion of the passwords have been unhashed into plaintext.
To prove the validity of our claims, here is a sample of the database: [redacted]
While we were, of course, skeptical of the information the claims were potentially huge. That said, we did ask for proof and proof was provided via screenshots of information that would typically only be available to a site administrator or owner.
A screengrab of what TheNextWeb claims to be a Campfire group chat sessions of Gawker’s editorial staff:
Mediaite was also contacted by an individual who has remained anonymous and cannot be verified. The source, however, did share examples of what appear to be working pairings of usernames and passwords for users to comment on Gawker Media sites. If this is a real hack, and again, there is no concrete evidence that the entire database has been compromised, it would be a particularly embarrassing security breach for Gawker Media. In fact, it was Gawker’s alleged arrogance that seems to be the motivation for the hack. The anonymous source claims:
We went after Gawker because of their outright arrogance. It took us a few hours to find a way to dump all their source code and a bit longer to find a way into their database.
We found an interesting quote in their Campfire logs:
Hamilton N.: Nick Denton Says Bring It On 4Chan, Right to My Home Address (After
Ryan T.: We Are Not Scared of 4chan Here at 210 Elizabeth St NY NY 10012
I mean if you say things like that, and attack sites like 4chan (Which we are not affiliated to) you must at least have the means to back yourself up. We considered what action we would take, and decided that the Gawkmedia “empire” needs to be brought down a peg or two. Our groups mission? We don’t have one.
We will be releasing the full source code dump along with the database at 9PM GMT today. You are the only outlet we have told the release time.
When contacted by Mediaite, Mr. Kidder reiterated that there was no evidence of any security breach, but that they were still investigating the claims.
Earlier this year, Gawker attracted national media attention and launched an FBI investigation with a report on an iPad security breach which exposed the identities and personal information of 114,000 iPad 3G owners, including Mike Bloomberg, Harvey Weinstein, and Diane Sawyer.
Now, Gawker has been hit with what appears to be a security breach of ten times the magnitude. Given Gawker’s public flaunting of the hacker community that populates 4Chan — with which our source emphasizes the group involved in this particular database hack has no affiliation — combined with Gawker’s at-times schadenfreude-filled celebration of other major media outlets’ failings, this is sure to be a story that gets lots of attention in the coming days and weeks.
Update – Scott Kidder shares with Mediaite the following note to all staff that confirms that their database has in fact been hacked:
Our user databases do indeed appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change the password on Gawker (GED/commenting system) and on any other sites on which you’ve used the same passwords. Out of an abundance of caution, you should also change your company email password and any passwords that may have appeared in your email messages.
We’re deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. And, yes, the irony is not lost on us. Lifehacker has tips on how to create strong passwords: http://lifehac.kr/h7jgzQ
Have a tip we should know? firstname.lastname@example.org