Gawker accounts hacked, change your passwords

[el_rezzo]

http://pastebin.com/9rRmf6W5

http://www.neogaf.com/forum/showthread.php?t=415704

1.3 million accounts compromised apparently. Check to see if your password at Gawker wasn't enough to stop them getting your info. Then change any passwords that could be gleamed or are just the same as any of your Gawker details (and email address used with that account). Wish there was an option to delete the damn account, haven't been to Kotaku in ages.
_________________

[Crank]

From the FAQ relating to this:

5) How can I delete my account?
We understand how important trust is on the web, and some of you may wish to delete your Gawker Media account. Currently account deletion is not available. We will, however, give you this option as soon as possible.

So check back soon and deletion may well be possible.

[chickenplucka]

no point in deleting the account now as the passwords and usernames have been compiled and torrented already.
mind you, people that don't reguarly change passwords or have easy to crack passwords are kinda asking for this to happen...
_________________

[Benza]

well glad I post everything under 'guest' then.
_________________

[grim-one]

I don't get where Kotaku / LH / Gawker actually uses accounts. Looking on Kotaku, there's no log in function and the comments only ask for a name and password?

Edit - also there's a description in the article about how to check if your email address / password for an account was captured. Apparently I have one and it was
_________________

Steam:grim_one | PSN/Live:najakh | Flickr

[el_rezzo]

[DKP]

What gets me is the sheer amount of people that use 'password' as their password.

[chickenplucka]

[el_rezzo]

[chickenplucka]

[el_rezzo]

[chickenplucka]

just found this great comment in the #speakup section on Kotaku about how to check if your account has been hacked:
So, with all of the major hoopla going around surrounding the breach of passwords and accounts, you might be wondering, "Am I affected?"

Well, classy internet man, if you used the same username and password on your Gawker account for the rest of the media websites (or perhaps just orphan accounts as well), then you're probably at risk.

"Oh no! What can I do?" You might ask. Well, if you want to know if some unclassy internet guy could get into your account, and wreak havoc, posting trollish things across the internet (not really, unless you use the same password and username EVERYWHERE), you can follow these simple steps, courtesy of lastkarrde and futant462 of the Reddit community.

First, open this fusion table: http://www.google.com/fusiontables/DataSource?dsrcid=350662

Second, go to this website: http://pajhome.org.uk/crypt/md5/

Third, place your email into the "Input" line, and click MD5. Copy the corresponding string out of the "Output" field.

Fourth, in the fusion table, click "Show Options" (right underneath the Google logo), change "Domain" to "MD5," and lastly, paste the earlier string into the right-most box.

Fifth, click the apply button. If you're having a good day today, then the string will not show up, and your account has not been compromised. You might want to change your password regardless, but that's up to you.

If today is not your day, then the string will show up. Change your password, and I might suggest deleting the entire account when the option rolls around.

If you so happened to use the same username and password across the internet, your day will not get better. Hit high-risk targets first (bank accounts), move into more medium-range targets (online shopping aggregates, webhosting), and then take care of everything else. It's you against the clock.

In the age of a mass digital network, NEVER assume you are safe. Now may not be a bad time to change all of your passwords regardless of whether or not you were compromised.

Once again, I am simply using copypasta from Reddit, thank lastkarrde for the fusion table, and futant462 for the instructions. I am but a messenger.

Thank you internet, and have a great day.

#stayclassyinternet
#speakup

EDIT (OH LOOK IT'S BELOW THE HASHTAGS THIS MUST BE IMPORTANT): If you used Facebook Connect, the FAQ (in the red bar at the top) claims that your account would not be at risk. Once again, the friendlier side of the internet would like to remind you to pretty much not trust anything. Change your password (do it anyway), or delete the profile and start over. It's just social connections, people will find you, so long as you're not dead. They'll probably find you after you die, too.

I might also be suggesting the use of OpenID across the Gawker Media sites, but that's another matter entirely.
_________________

[chickenplucka]

I am furious, yet glad to have found out that my account was stolen and has been freely distributed amongst torrent sites. I am relieved that I use a different password for different websites however.
If you want tips on the best ways to remember passwords for different websites check this guide:
http://lifehacker.com/184773/geek-to-live--choose-and-remember-great-passwords
_________________

[xboxdude]

Too late guys,
torrents are already here
http://www.kickasstorrents.com/gawker-dbs-usernames-passwords-encrypted-and-unencrypted-t4814566.html
_________________

[xboxdude]

Got a hold of that torrent (not for bad reasons)
And went into the database searched my password. Sure enough it comes up with my password & username. I have since changed my password
_________________

[xboxdude]

3,366 pages full of passwords. How could this happen???
_________________

[Fyuusii]

^Quit with the spamming mate; you could've put all of that into a single post.

I got an email from DeviantART which seems to be referencing this leak. Is DA also affected?
_________________

"Now I stand, the lion before the lambs... and they do not fear.
They cannot fear..."

[grim-one]

[Eyce]

[xboxdude]

[subbastard]

That is what Edit is for champ.
_________________
I'd be apathetic, but I can't be arsed.

[JamalH]

So what if i only look at Kotaku and replied with my facebook account once?

other than that ive never signed up there or have an account with any GAWKER sister site

EDIT - heres a widget you type your email in to see if it was compromised.

http://www.slate.com/id/2277768/

2) What if I logged in using Facebook Connect? Was my password compromised?
No. We never stored passwords of users who logged in using Facebook Connect. We have, however, disabled Facebook Connect logins temporarily.

3) What if I linked my Twitter account with my Gawker Media account? Was my Twitter password compromised?
No. We never stored Twitter passwords from users who linked their Twitter accounts with their Gawker Media account. However, if you used the same password for your Twitter account as you did on your Gawker Media account, you should change it immediately.

^^^ good news atleast
_________________


Now Playing: Dragon Age Origins: Ultimate Edition Awakening Expansion (PS3)

[kaerlis]

This link explains pretty much everything that went on, and it's pretty amusing and interesting as well:

http://blogs.forbes.com/firewall/2010/12/13/the-lessons-of-gawkers-security-mess/
_________________

[JamalH]

After reading that suck shit to GAWKER they deserved it.

N. Hamilton basically said that the users accounts being compromised was "unimportant"
_________________


Now Playing: Dragon Age Origins: Ultimate Edition Awakening Expansion (PS3)

[grim-one]

I don't understand why their database stores the actual passwords. I would have thought they would store a hash (MD5 or SHA1) and just perform the hash on the entered password to compare it to the stored one. The only possible reason I can think of is that it would allow recovery, but it can easily be avoided by just emailing out new random passwords upon request.
_________________

Steam:grim_one | PSN/Live:najakh | Flickr