

Tell HN: My experience being on the Gawker password list - victimofgawker

I created a username and password on one of the Gawker sites in about 2006 or 2007. I did not see it as a critically important site so I did not pick a particularly strong password. My password was not "password" but it was pretty close. It is not a password I used anywhere else and certainly not for my email. I also used an email address that I only used for non-critical and non-important subscriptions.<p>I initially saw the reports that Gawker was hacked earlier in the day on Sunday. I got a bit worried, clicked around and saw a report that Gawker was saying it was only a rumor, their Twitter account had been compromised and someone had made false claims that data was stolen. I was relieved even though I did not think it was a big deal. Later on in the day on Sunday, I saw that it was true that data had been stolen and went over to a Gawker site to log in and check my account.<p>Here's the slightly weird thing. Someone had already logged into the Gawker account, made a few comments and noted that I used "password" as my password. I had not used "password" although as I mentioned, it was close. I was able to log in to the Gawker site with the password that was not "password" and change things around, including the password. The email address associated with the login showed no evidence of being compromised. (No weird sent items, IPs from past logins were mine, etc.)<p>By this morning, no less than 4 people had (anonymously) emailed the address listed and warned me that I had been hacked and I should change my passwords. However, NONE of those people were actually from Gawker! As of Monday, there has been no official word from Gawker directly to the email address I gave them--which is now posted publicly--that a breach occurred!<p>A bit later in the morning, I went to log in to the email account again and it warned me that there had been suspicious activity and had me (appropriately) jump through a few hoops to get in. Once I did get in, I again saw no evidence of it being compromised. Looks like someone noted the email address on one of the lists in the Torrent dump and tried their hand to see if my email password was as weak as the Gawker password was.<p>Feel free to post questions or comments.
======
infosecinterest
I have 2 questions for you. I'm following this incident as I am on the list as
well. Like you I use different pwords for sites. But I also got the warning
from my email account there had been suspicious activity when I logged in but,
like you saw no evidence of outbound email, bouncebacks, or strange spam
filter messages. Q1: Are you thinking we got those messages b/c people were
trying to get in using common words, etc, and they just locked the acct b/c of
all the incorrect tries? Q2: I don't recall ever signing up for a gawker
account for comments. So how do you think my email was included? Was it
another site in their portfolio owned by gawker?

------
raquo
Gawker uses only the first 8 chars of your password to generate the hash so
you apparently don't need to know your whole password to log in. If your
password began with "password" it makes sense why a dictionary attack or
whatever revealed your password as simply "password".

