
Gawker Website source, databases & passwords now on BitTorrent - tenaciousJk
http://thepiratebay.org/torrent/6034669/Gawkmedia_source_code___database_release_
======
alanh
I think I am going to be checking the dump to ensure my password is not among
it…

Remember, don’t use the same password across the Internet. Here’s why.

 _Edit:_ It’s there, apparently as a DES hash. …

 _Update 2:_ The first two characters are the hash. So if you use a tool like
<https://hash.online-convert.com/des-generator> you are going to put your
password in the “Text you want to convert…” box and the first two characters
of your hashed password in as the “Salt (optional)”. Then you will see the
“Calculated DES Hash” which will be the same as the hashed password from the
torrent if you knew or guessed the password correctly.

E.g.

Your Lifehacker password is “hackern”, but in the torrent, it’s just
“8h48GPxmwy.EA”. Just to show the torrent is legit, you go to the website I
entered above, enter “hackern” and “8h” as the salt; it will spit back
“8h48GPxmwy.EA”.

 _Update 3:_ “OFFER HN”: The most paltry “Offer HN” ever — send me your
username or email address and I’ll grep both files for you to see if your
password and/or hash is in one of them. My email is contact-at-<HN
username>ogan.com

~~~
cheald
I already did this. I'm tempted to set up a utility page where you enter your
email and the utility just tells you if it was in the DB, but I don't know how
legal that would be. Checking the data for personal defensive purposes is
arguably defensible - setting up a tool based on that data (even benign) is
likely less so.

~~~
CWuestefeld
Apparently somebody thinks they're a "white knight" I just got an email from
"The Team at Hint" (teamhint at hint dot io). The text is:

 _Hi there,

Hint wanted to let you know that your email address and password that you used
to signup for Gawker (or one of its sites) were hacked. Forbes' coverage is
here

In situations like this, time is of the essence, which is why we were
surprised & shocked to find that Gawker Media hadn't taken the initiative to
notify you of this privacy breach immediately. We HIGHLY recommend you change
all of your online passwords as a precaution.

-The Team at Hint

(This is a one time email)_

I'm not sure how ethical this is.

~~~
bmastenbrook
I can't see how it's unethical, unless even looking at the data is unethical,
and you'll have to convince me of that. I'd be more concerned about the
ramifications than the ethics. The least bad thing that could happen here is
winding up on some big ISP's blacklist because enough of their users marked
this unsolicited mail as spam. Once that happens, good luck communicating with
your customers.

I'm sure you can imagine the worst that could happen. Courtrooms are not happy
fun places.

~~~
henriwatson
The message is lined with tracking URLs.
[http://identityvector.com/~phil/2010/12/how-not-to-
capitaliz...](http://identityvector.com/~phil/2010/12/how-not-to-capitalize-
on-compromise/)

------
kacy
This is _serious_. I just checked out the torrent with the text file of the
200,000 cracked passwords. I searched for @me.com account and logged into
someone's apple account. It was possible for me to order stuff via their
account. I quickly emailed the guy to let him know to change his password.
Gawker _needs_ to take responsibility of this situation and email everyone in
their database.

~~~
CoachRufus87
If they haven't done so already, then they've lost any and all credibility as
a company in my eyes.

~~~
wildmXranat
You mean it hasn't happened already? Gawker scrapes the bottom of the Internet
barrel.

------
danilocampos
My credentials were in the pile.

So, uh, how come I and everyone else affected don't have an email in our
inboxes from Gawker right now, marked as urgent, explaining the situation?

Doesn't that seem like the right thing to do?

~~~
Q6T46nT668w6i3m
Max from Gawker claimed that users were notified yesterday afternoon:

[http://www.ilxor.com/ILX/ThreadSelectedControllerServlet?sho...](http://www.ilxor.com/ILX/ThreadSelectedControllerServlet?showall=true&bookmarkedmessageid=2181143&boardid=40&threadid=45134)

FWIW: I wasn't notified.

~~~
tallanvor
I wasn't notified either. At least not by Gawker. Apparently the people at
hint.io took the initiative to send out emails, which is nice of them, but
hopefully they don't use the email addresses for anything else.

~~~
tenaciousJk
I think they had a competition to see how many buzzwords they could fit in to
a single, run-on sentence: <http://hint.io/about>

------
jbm
Looks like it is quite easy to shut off ads on Gawker. They do a simple
boolean check to see if you have a "noad" cookie set. Try entering this into
the console.

    
    
        javascript:document.cookie='noad=true; expires=Thu, 2 Aug 2021 20:47:11 UTC; path=/';
    

This shuts everything off, except for one ad at the top.

(Put a bookmarklet for this if anyone who wants to try it out:
<http://bit.ly/exvive>)

------
Q6T46nT668w6i3m
Has anyone checked if source/ contains the source for their proprietary CMS?

From Felix Salmon:

 _Most of the value of Gawker Media lies in Hungary—but how much value is
there, really? To a large degree that depends on what Denton decides to do
with his proprietary technology. Other blogging platforms are worth nine-
figure sums—Tumblr just got a valuation of $135 million, while Automattic, the
parent of WordPress, turned down a $200 million acquisition offer three years
ago, when it was much smaller than it is today, and subsequently raised money
at a valuation north of $150 million. I know a lot of people at big media
companies who struggle with the limitations of WordPress, and who would pay
good money to license an alternative web publishing technology, if it was
robust and proven. Big companies are already licensing the NYT’s Press Engine
mobile-publishing technology, and it’s rumored that at one point Denton was
talking to Bonnie Fuller about licensing his technology to her nascent
website, although that never happened._

<http://news.ycombinator.com/item?id=1998642>

~~~
mikeklaas
Those valuations have nothing to do with "CMS technology"; it is instead the
userbase, ecosystem, and mindshare those platforms have acquired.

~~~
jacquesm
And the CMS technology part of the equation just took a bit of a hit here.

------
watty
This is a huge breach yet users have to scroll down a full page on Gizmodo.com
to find a small article about it.

~~~
joeybaker
Worse, the Gawker post on the issue [http://gawker.com/5712615/commenting-
accounts-compromised-++...](http://gawker.com/5712615/commenting-accounts-
compromised-++-change-your-passwords) releases no details. Instead of giving a
detailed description of what happened, they simply say, "change your
password." With that level of detail, you might think they're now afraid to
even write "4Chan."

~~~
puredemo
And the post doesn't allow comments either, so there is no way for users to
mention the extent of the compromise.

------
paulitex
I've download the torrent, convenient of them to give an email address with
each cracked account.

I'm currently writing a little script that parses all the address and emails
the owner a heads up. I gotta step out so I won't have it done for 2-3 hours
and I thought I'd post here in case anyone else has that idea (don't want to
flood the victims).

~~~
dwynings
We've got it covered.

~~~
paulitex
Great, thanks.

------
wippler
For anyone who is interested in more details, check out the readme file for
how it actually went, atleast a rough sketch of it..

<http://pastebin.com/cpb7ndV8>

~~~
sero
Sounds like they probably used social engineering to get initial password(s)
and thanks to poor security practices used those to go from there? Not to
sound malicious or impersonal, but breaking something so wide open is like a
solving a hard puzzle, I'd be really interested to hear more details on how
they actually did it.

------
brandnewlow
Random datapoint: My e-mail was one that got hit in this hack. 15 minutes ago
my Twitter and Gmail both just locked me out. I was able to set new passwords
via mobile verification, but that was pretty spooky and clearly someone is
going after the people who got exposed here.

~~~
brandoncor
So you used the same password for Twitter, Gmail and Gawker? Or did the
accounts get compromised some other way?

~~~
brandnewlow
Yup! I make no excuses. That's been remedied now.

------
kmfrk
Having seen the pastebin link, these guys use really, really poor password.
Only alphanumeric - usually just one of the two - rarely with capitalization,
and nothing else.

~~~
alanh
_The parent comment is likely referring to admin & username passwords for
people working at Gawker Media, such as Gizmodo, Lifehacker, and Kotaku
contributors._

All the usernames and passwords for users with {@lifehacker.com, @gawker.com,
etc.} email addresses in the torrent (plaintext, not hashed). The torrent
claims Nick Denton’s password was an 8-character sequence of even numbers, and
that he used it _everywhere_. ( _Edit in reply:_ The hackers used this on e.g.
his Twitter account IIRC so it wasn’t truncated to 8 characters.) Some of them
are even '11223344' or a substring of the author’s username!

~~~
wahnfrieden
This isn't entirely accurate. Their hashing mechanism only hashes and stores
the first 8 characters of the password. So you only need to get the first 8
right, even if the password is 12 long.

That also means that, although unlikely for some, '11223344' could have
actually been '11223344aBc$!q'. Not that it would have mattered though!

~~~
27182818284
It matters a little outside of Gawker, right? Because a site that requires all
of say, 12 characters, if the remaining 4 weren't predictable, would be safe
even with the first 8 exposed.

~~~
alanh
Yeah, but only as “safe” as a 4-letter password. Assuming full alphanumerics,
that’s only 14 million possible 12-character passwords to try. Given a 1GHz
processor, well, you see where I’m going with this.

This is why I freaked out when bluehost.com (AVOID!) required the last four
characters of my password to accompany support requests(!).

~~~
27182818284
Yeah I was just using the 12 as an example, but someone with say 36 chars past
the 8 recovered from gawker should be a little more at ease.

I don't think I've logged into any of their sites, I use different passwords
at different sites and they are generally > 20 chars, so I'm not worried. Yet,
at the same time, even knowing all of that, I did a bit of a double take and
had a brief "Oh shi-" moment of paranoia when I read the headline.

In fact, if I were say a young starlet that used a similar password for my
private email or something as my Gawker account, I'd be really freaked!

------
lotides
Can Gawker be held legally liable for maintaining poor security standards and
incompetence leading to this? Can anybody cite related laws or cases?

~~~
MiguelHudnandez
California's SB 1386 does not seem to apply, as there is no "Personal
Information" in the leaked database.

One thing open to interpretation would be whether the password in the file
could be used to access someone's bank account. If someone uses the same
e-mail address and password at both sites, that would be true.

    
    
      Section  1798.29, E, 3 
       -- Definition of Personal Information
      Account number, credit or debit card number, 
      in combination with any required security code, 
      access code, or password that would permit 
      access to an individual's financial account.
    

* [http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_13...](http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html)

I am not a lawyer.

------
sams99
When will people learn to use bcrypt for their passwords, and on that topic,
when will a "security expert" bless it
<http://stackoverflow.com/q/3722780/17174>

------
wizardishungry
Does anyone have any information on changing all their account passwords at
once? I don't use the same password for any sites, but unimportant sites like
blogs, etc. I use fairly similar passwords on.

------
fendrak
For a little background information on DES password hashing, check out this
assignment from my Computer Security class at UT Austin:

[http://www.cs.utexas.edu/users/byoung/cs361/crack-
assignment...](http://www.cs.utexas.edu/users/byoung/cs361/crack-
assignment.html)

It gives a little bit of background information on password hashing and
salting, and on simple password cracking techniques.

------
beaumartinez
TPB have removed the torrent.

------
quellhorst
The torrent has been removed. Is there another place to download?

~~~
soult
As for all files that have recently been removed from thepiratebay, they are
still reachable with this url (where ID obviously is the numeric ID seen in
the original torrent URL):

[http://torrents.thepiratebay.org/<id>/somerandomname...](http://torrents.thepiratebay.org/<id>/somerandomnamefortorrentfile.torrent)

------
philfreo
Seriously, use 1Password... it's great.

~~~
Du4No
KeePass as a free alternative

~~~
wnoise
And the clone keepassx for running on unixes.

------
flexd
I had no clue what gawker was until i saw this. Am i expected to

~~~
flexd
Seems half my comment disappeared. (magic?) So did everyone know about this
site or am i just slow?

Half of my comment actually disappeared when i posted this as well. Had to
edit it to get everything in.

------
dataminer
Its a good idea to use Keepass and Keyfox to generate different secure
passwords for every site instead of using one weak password for all the sites.

------
ShabbyDoo
So, were these "passwords" stored as salted hashes?

~~~
wippler
From the readme.txt file,

Gawker uses a really outdated hashing algorithm known as DES (Data Encryption
Standard). Because DES has a maximum of 8 chars using a password like
"abcdefgh1234" only the first 8 characters "abcdefgh" are encrypted and stored
in the database. If your password is longer than 8 characters you only need to
enter the first 8 characters to log in!

Is this true? I tested it now and it needed the full password for a successful
login.

~~~
tptacek
DES crypt (I don't know that that's what they're using) is better than salted
SHA1, vis a vis crackability.

~~~
bbatsell
I'm not a cryptographer by any means, so please forgive and correct any
errors. I'm assuming you're just saying that building rainbow tables once you
have a static salt and the hashes becomes a feasible proposition? Wouldn't
using a dynamic salt with each hash make a full dump like this significantly
less crackable than DES with several weaknesses and a 56-bit cipher? (And
that's, of course, assuming that the DES key doesn't leak along with the
dump.)

~~~
tptacek
DES crypt(3) doesn't have a "key"; it truncates/pads passwords into a DES key
used to encrypt (with a salt) an all-zeroes block. It's horrible cryptography,
but it's slower than SHA1.

------
jtagen
I wonder if there's an option for an ISP to proactively secure these accounts.
GMail has phone verification for backup, they could temporarily disable the
account of anyone who has a matching password.

Odd, I'm sure I had a lifehacker comments account, but my username isn't
listed. No complaints though.

------
liedra
I have an io9 account (that's a Gawker site) but my email isn't showing up in
a grep of the db dumps. Perhaps this is not the entire database after all? (I
didn't use Facebook Connect.)

I must admit I'm a bit intrigued as to why mine's not there. Anyone else in
this boat?

~~~
lzm
From the readme:

    
    
       After gaining access to gawkers MySQL database we stumble upon a huge
       table containing ~1,500,000 users. After a few days of dumping we
       decided that 1.3 million was enough.

~~~
liedra
Thanks, I must have missed that! I also saw an additional claim on the "Gnosis
explains" article:

"The actual database size is 1,247,897 rows, which is 80+% of their database."
- [http://www.mediaite.com/online/exclusive-gawker-hacker-
gnosi...](http://www.mediaite.com/online/exclusive-gawker-hacker-gnosis-
explains-method-and-reasoning-behind-his-actions/)

I wish I could win a raffle with that sort of luck though! ;)

------
nhangen
I'm in there, and I'm grateful to the HN community for showing me how to find
out. This is rather alarming...I've passed it on to my newsletter subscribers,
Twitter, Facebook, etc.

Kind of ironic really, considering the whole secrecy vs non-secrecy debate.

------
dacort
Looks like somebody decided to spam the heck out of Twitter with those
compromised passwords.
<http://twitter.com/#!/delbius/statuses/14235293116792833>

~~~
bigiain
I just saw a bunch of spam status updates on my sisters Facebook account
that'd just be way too much of a coincidence to not be related to this...

------
norova
I'm currently sending emails to the first 50,000 addresses listed in the
database dump via SendGrid. I only have 50,000 credits left for this month,
but at least that many will get notified.

~~~
petercooper
A bit too late now, but that violates at least the first three terms of the
SendGrid e-mail TOS and I wouldn't be surprised if SendGrid got a "bit upset"
about it..

~~~
norova
Well, haven't actually clicked the send button yet.. was waiting for the
import to finish. I'm second-guessing the foolhardy good samaritan effort now,
though. ;)

It's a free account that I got via an AppSumo bundle, so no real loss to me if
it gets terminated, but I'd rather not go that route to begin with, ya know?

~~~
dwynings
We've got the entire list covered.

~~~
norova
Good to know. Thanks! I can remain a normal TOS-fearing citizen. :)

------
bhrgunatha
Does anyone have a list of sites that gawker owns - I have no idea which sites
I need to potentially check.

EDIT: Nevermind - it seems that resetting your password at gawker.com resets
for all of their sites.

------
redthrowaway
This is what mailinator and, failing that, tenminutemail accounts are for. Why
people sign up for random sites with their personal emails just to comment on
articles is beyond me.

------
anigbrowl
The passwords aren't very important, although I can see why that'd be an
issue. But those internal chat logs are going to be a bit of a problem. For
Nick Denton, that is.

------
enko
Damn, I'm on the list as well. This is the straw that broke the camel's back -
I'm buying 1passwd, and converting to it wholesale.

------
ericflo
Was this a Campfire hack, or did they happen to know a username/password combo
and try Campfire first?

------
olalonde
Anyone how they got access to their Campfire account? (That's where they found
the server passwords)

~~~
cheald
If I had to bet? Firesheep or similar + a writer sitting at a Starbucks. Your
guess is as good as mine, though. Campfire's under SSL, but people re-use
passwords and it's trivial to lift a password-in-the-clear off of a public
wireless hotspot. If you wanted to target Gawker, it wouldn't be hard to
identify people practicing poor security and just watch them until they
slipped up.

------
jdbeast00
does anyone know if their other sites db's were compromised aside from
gawker.com?

~~~
cilantro
It seems to me that all their sites are run off one complicated db schema. I
just confirmed that my Lifehacker user name is in there.

------
arn
any chance it's related to this?

<https://forum.bytemark.co.uk/comments.php?DiscussionID=2701>

~~~
joeybaker
No. Gawker uses Google Apps for email. <https://www.google.com/a/gawker.com>

------
trucious
torrent not found..

------
Keyframe
Early Christmas for spammers. What a disaster.

------
iphoneedbot
Im curious, how come it only shows 65k email addresses, but everywhere Ive
read reports email addresses totaling over a million

~~~
fhars
My guess: It only shows so few accounts because you are opening the file with
a spreadsheet program that is limited to 65536 rows.

~~~
iphoneedbot
Ah! Gotcha! _hat tip_

------
drivebyacct2
Weird... One of my throwaway accounts appears with a name I know I've never
used before. Then again, I had someone sign up for a Facebook account with
that email address once too...

~~~
drivebyacct2
WTH? Why downvote this? Especially as I've seen users on Gawker's sites, HN
and reddit mention the same issue. Really? What is the purpose of downvoting
this?

