

Check if your email is amongst those compromised in Gawker break-in - sathyabhat
http://www.google.com/fusiontables/DataSource?dsrcid=350662

======
jedsmith
What is the point of including the domain tied to the address? It just
decreases the anonymity of what you've hashed, and actually does a disservice.
There are corporate domains in there and the namespace of what to search for
becomes a lot smaller.

In addition, my domain is my name. I saw many others in the file that this was
the case for. It's not a big leap to compute my e-mail from 'jedsmith.org',
and I'm sure it isn't for those guys either. You're leaking data with this
view.

Here's a version that is far more anonymous (and easier, I think):
<http://undertow.jedsmith.org/gawker/>

~~~
jdludlow
I like it.

OS X users, if you are paranoid about using online tools for the SHA-256
hashing, you can do this from the command line with sha256deep.

Via Homebrew it'd go like this (replace the 1st step with whatever package
manager you like):

$ brew install md5deep

$ echo -n my@email | sha256deep

d869524229c1e2f6139194fee1aac14f873b008dd0279458cbdfb6b3fbade1d2

~~~
sirn
…or without installing anything:

    
    
        $ echo -n 'my@email' |openssl dgst -sha256
        d869524229c1e2f6139194fee1aac14f873b008dd0279458cbdfb6b3fbade1d2

~~~
jrmg
Or, with the cryptically named 'md5'...

    
    
        echo -n 'my@email' | md5

~~~
chrisbroadfoot
md5 != sha256

    
    
       $ echo -n 'my@email' | shasum -a 256
       d869524229c1e2f6139194fee1aac14f873b008dd0279458cbdfb6b3fbade1d2  -

~~~
jrmg
Ah - true - we're talking about different things though (which is my fault to
start with, but I see confusion in others too).

MD5 is what's used in the linked spreadsheet's email address fields, which is
what I thought we were talking about. SHA-256 is used in jedsmith's lists.

------
jrockway
Fuck. What the fuck did I even need a Gawker account for?

(Thanks for making this. I was going to download the torrent, but assumed that
I did not ever visit their site, much less make an account. Wrong!)

~~~
bradgessler
You needed it if you commented on a post.

~~~
estel
Unless you posted with Facebook or Twitter auth

------
steveklabnik
If you're on OSX, it's 'md5' and not 'md5sum.'

------
mjs
What's the point of these tools that let you know whether Gawker's database
held my email address? It's no secret that I have a Gawker account, and a
Twitter account, and a Facebook account... What I would like to know is how
likely it is that my _password_ could be compromised. How were the passwords
stored? Hashed? Salted and hashed?

~~~
brown9-2
Because some of us don't remember if we have an account on the site and might
not be able to download a ~500mb torrent to verify if we do/did.

~~~
visakhcr
Just go to Gawker site and try the link "Forgot Password". If your email is
not registered with Gawker, it will tell you the same.

~~~
brown9-2
This sounds like a bad idea if the site is still comprimised.

------
dholowiski
Thats great, thanks. I was relieved to not find my email in the list, although
I could swear I've commented on gawker sites.

~~~
jamesjyu
You probably used Facebook Connect.

This, btw, is a great example of when using a trusted 3rd party login is a big
win.

~~~
ThePengwin
Still, it's annoying when they can turn around and use such a login to spam
things to another account.

sadly, I'm on the list, and it was an account i was banned from posting with
about 2 years ago. I wish I could have deleted it.

------
il
If your email is in that list, expect it to get spammed heavily in the coming
days.

While it's nice of random social whatever startup hint.io to warn people that
their password is compromised, linking to their landing page multiple times in
the email makes me think they have ulterior motives.

------
ja27
I got a "We've detected unusual activity on your account" lockout on my Gmail
account this morning. Since I can't find anything suspicious on the account I
assume it's just bots hammering away, trying the Gawker password and other
guesses. Anyone else get that?

~~~
Danny72
I had that as well. No strange IP addresses are listed as having accessed it,
so I assume it's safe.

------
patrickgzill
I have to say I am underwhelmed by the speed of browing this table.

------
rscott
Well, that is most unfortunate.

A big thanks for the heads up.

------
eekfuh
266 emails whose domain end with .gov

Very interesting.

~~~
jrockway
Interesting that people only have a work account, or interesting that people
who work for the government also slack off at work?

.gov is not just Obama and super-secret crytpo scientists. It's also the
person who makes sure that every form they send out has an OMB Control Number.

~~~
eekfuh
(I wasn't going to reply but since I'm getting pretty heavily down-voted I
will)

I was commenting on how I thought it was interesting that so many government
employee's would use their work email for (most likely) non-work related
sites.

Also I find it interesting how assuming you were off such a small comment I
posted.

------
kra
<http://www.didigetgawkered.com/>

------
ABrandt
For some reason every md5 from this spreadsheet I try to decrypt, I get
nothing. I'm using online tools like md5decrypter.com to do this. Am I missing
something?

~~~
aneesh
md5 is a hash function, and hash functions are designed to have two
properties:

1) they are _hiding_. You (theoretically) can't reverse the function by any
method other than brute-force.

2) they are *binding. You (theoretically) can't find any other input that
hashes to the same output by any method other than brute-force.

Any tool that "decrypts" md5 hashes most likely does so by generating what is
called a rainbow table -- a giant list of many possible inputs, and the hashes
they generate. If you look at the spreadsheet and find a hash from your
rainbow table, voila, you know what it came from. To make it harder to use
rainbow tables, any security-conscious site will "salt" the passwords before
hashing them, by adding a random string prefix. The point is for the random
"salt" to be different for each password you are hashing, so a standard
(unsalted) rainbow table won't work, and further, the same rainbow table won't
work for every password.

(md5 itself has been shown to be vulnerable to collision attacks, which is why
I said "theoretically")

~~~
ABrandt
Okay thank you for the explanation. Let me try and apply my rudimentary
knowledge here...

So a hash function is used to encrypt data by translating it with a certain
rule set--I've learned about a simple key%b type function before. But with md5
this hashing function isn't the same each time a new code is created? How is
the system able to decode it then? _Something_ out there has to know how to
translate that back into a readable string right?

And collision is when different strings end up with the same encrypted code
(except if you use a hash chain structure). So how is this used in an attack?

Sorry for all the questions. I know I could probably google this but I always
learn better through instruction. Thanks!

~~~
edanm
"_Something_ out there has to know how to translate that back into a readable
string right?"

Wrong. That's exactly your misunderstanding - MD5 is _not_ an encryption
function, but a hashing function.

The way it works is, given some string, it will output a new, random-looking
string. It's impossible to go backwards, i.e. given the output of running MD5,
you can't tell the input.

In a nutshell, The way password authentication works is this: when you sign up
to a site, a hash of your password is saved. At this point no one, not even
the site itself, can tell what your password was.

When you want to log in, you send the password over to the site, they hash it
again, and compare the output with the saved hash. If you put in the same
password, the hash will come out the same. And it's very, very hard to find a
different string which _isn't_ your password which will get you the same hash
output.

~~~
bigiain
"The way password authentication works is this: when you sign up to a site, a
hash of your password is saved."

That's an assumption that's been proven wrong _way_ too many times...

------
franze
thx, great tool, mine was part of the leak .... i commented once about a year
ago .....

------
fellowniusmonk
Thank goodness I always use mailinator for junk like that.

------
mahmud
Warning: logging into any of the compromised Gawker accounts might result in
exposure to the inane life details of a Gawker reader!

