I think I am going to be checking the dump to ensure my password is not among it…
Remember, don’t use the same password across the Internet. Here’s why.
Edit: It’s there, apparently as a DES hash. …
Update 2: The first two characters are the hash. So if you use a tool like https://hash.online-convert.com/des-generator you are going to put your password in the “Text you want to convert…” box and the first two characters of your hashed password in as the “Salt (optional)”. Then you will see the “Calculated DES Hash” which will be the same as the hashed password from the torrent if you knew or guessed the password correctly.
E.g.
Your Lifehacker password is “hackern”, but in the torrent, it’s just “8h48GPxmwy.EA”. Just to show the torrent is legit, you go to the website I entered above, enter “hackern” and “8h” as the salt; it will spit back “8h48GPxmwy.EA”.
Update 3: “OFFER HN”: The most paltry “Offer HN” ever — send me your username or email address and I’ll grep both files for you to see if your password and/or hash is in one of them. My email is contact-at-<HN username>ogan.com
One liner to find if any of your Facebook friends had their password compromised:
grep -o '[[:alnum:]+\.\_\-]*@[[:alnum:]+\.\_\-]*' yahoo_ab.csv | while read line; do grep " $line" parsed_db.txt; done
For those not in the know, you can export a CSV of your Facebook friends' email addresses in under 4 minutes by following this guide: http://lifehacker.com/5690378/how-to-export-your-friends-ema...
which yields a yahoo_ab.csv. From there you can cross check it against the parsed_db.txt file or the full_db.log
You should probably tell your friends if they're showing up in the parsed_db.txt as one of their passwords can now be seen by anyone.
I already did this. I'm tempted to set up a utility page where you enter your email and the utility just tells you if it was in the DB, but I don't know how legal that would be. Checking the data for personal defensive purposes is arguably defensible - setting up a tool based on that data (even benign) is likely less so.
For people who can't remember if they ever signed up:
Go to gawker.com and use the 'forgot my password' utility. It's under login > forgot my password. Enter your email address in the field provided. It will tell you straight away "That email address is not in our records. Please try again."
I can't think of any reason this would be incorrect based on the recent events. Of course, this doesn't tell you whether your password is vulnerable, just whether you have an account.
Apparently somebody thinks they're a "white knight" I just got an email from "The Team at Hint" (teamhint at hint dot io). The text is:
Hi there,
Hint wanted to let you know that your email address and password that you used to signup for Gawker (or one of its sites) were hacked. Forbes' coverage is here
In situations like this, time is of the essence, which is why we were surprised & shocked to find that Gawker Media hadn't taken the initiative to notify you of this privacy breach immediately. We HIGHLY recommend you change all of your online passwords as a precaution.
I can't see how it's unethical, unless even looking at the data is unethical, and you'll have to convince me of that. I'd be more concerned about the ramifications than the ethics. The least bad thing that could happen here is winding up on some big ISP's blacklist because enough of their users marked this unsolicited mail as spam. Once that happens, good luck communicating with your customers.
I'm sure you can imagine the worst that could happen. Courtrooms are not happy fun places.
"Unsolicited scary email from some guy that got my email from a hacker" sounds like it would only be slightly less legally dangerous than just straight up forcing hashes and posting them.
Definitely better than always reusing. But it’s still semi-vulnerable if for some reason your plaintext password is discovered. gawk--yourpass does kind of suggest bank--yourpass.
Go to gawker.com > "login" > "forgot password". Put your email. If it says it sent a new password, then they had it. "Username was not in our records" -> it wasn't.
If the servers are still compromised, I don't think they'd have stopped with a dump full of hashes and a few posts on Gawker. My guess is that the intrusion was discovered while they were doing the dump, which is why it's incomplete.
thanks for posting this - it works great. just to summarize- here's what you want to check if you're password has been compromised:
1) fire up terminal on your local macbook and enter the above string subbing in your password
2) open the spreadsheet and set the filters to domain - enter your domain name(s) and hit submit
3) If any results are returned then compare the MD5 hash in the result set with the MD5 hash returned from step #. if they're the same, start changing your passwords.
Can anyone lookup my name? I'm not in access to my personal email to send an email to the OP. I don't remember I have used comments of Gawker sites but anyway to be sure. The user id i generally use is same as here. Thanks.
I manage a domain through Google Apps, and I've discovered that that domain is on the list.
It's probably me, but I can't figure out what address was used (none of the md5 hashes are matching that are in the fusion table).
Seeing as you've got this for analysis, it'd be nice if you could help me figure out if one of my users was compromised (the domain is the same as the email on my hn profile).
It'd really suck if I have to change my password scheme because of this. :|
It's the one starting with 7335e7777f449de7533bfcc81efda
For the past 2 years I have been ashing all my password with custom algorithms in a hashing bookmarklet but I don't even remember when or why I created an account on there and I am curious on which password I've used.
Remember, don’t use the same password across the Internet. Here’s why.
Edit: It’s there, apparently as a DES hash. …
Update 2: The first two characters are the hash. So if you use a tool like https://hash.online-convert.com/des-generator you are going to put your password in the “Text you want to convert…” box and the first two characters of your hashed password in as the “Salt (optional)”. Then you will see the “Calculated DES Hash” which will be the same as the hashed password from the torrent if you knew or guessed the password correctly.
E.g.
Your Lifehacker password is “hackern”, but in the torrent, it’s just “8h48GPxmwy.EA”. Just to show the torrent is legit, you go to the website I entered above, enter “hackern” and “8h” as the salt; it will spit back “8h48GPxmwy.EA”.
Update 3: “OFFER HN”: The most paltry “Offer HN” ever — send me your username or email address and I’ll grep both files for you to see if your password and/or hash is in one of them. My email is contact-at-<HN username>ogan.com