

Analysis of the Gawker compromise - sucuri2
http://blog.sucuri.net/2010/12/analysis-of-the-gawker-compromise.html

======
Timothee
This morning, I received the email from Gawker saying my account had been
compromised. I actually didn't remember having an account with them. I imagine
I commented on Gizmodo at some point...

Anyway, the weird part is that I asked to reset my password (couldn't remember
mine or it didn't work) and I received credentials to log in to an account
that was clearly not mine, (only one comment made and definitely not from me)
and the email address used was unlikely a typo.

Has their database been mixed up too? I haven't really seen anything about
this, but my case is odd.

~~~
sucuri2
I didn't hear anything about it, but that would be even worse... I got an
email from them as well, but don't remember ever registering in there (and my
email is not in the data dump).

------
dcid
Checking if any of my emails is in the list there... Do I have an account
there? Don't know.

What is funny is that I never remember where I have accounts now...

~~~
sucuri2
That's the problem. People create the account once to post a comment and don't
think about it anymore.

Since every site asks for a user/pass, people re-use their passwords,
escalating the problem of a compromise.

If openid was a bit more easy to use for the end-user, this wouldn't be an
issue...

