Gawker hacked, 1.5 million accounts compromised

December 13, 2010 By Jeffrey Van Camp

Hackers that may or may not be from 4chan took down all Gawker Media sites over the weekend, publishing staff passwords and obtaining usernames, emails, and passwords for 1.5 million users registered on the Website network.

As seems to be the norm lately, Gawker was hacked and taken down this weekend by a group with loose ties to 4chan, the Internet equivalent of a pirate island. All Websites under the Gawker Media brand–Lifehacker, Gawker, Gizmodo, Jezebel, io9, Jalopnik, Kotaku, Fleshbot, Deadspin–were affected by the attack as well. 1.5 million usernames and passwords were compromised in the attack. After taking over the Gawker site, the hackers who call themselves “Gnosis” published the passwords of site staff members and published a long list of users whose password was “password.” Having a good time, the hackers shared bits and pieces of Gawker’s custom CMS source code as well.

Below is a quote from one of the hackers, posted on Mediaite.

“We went after Gawker because of their outright arrogance. It took us a few hours to find a way to dump all their source code and a bit longer to find a way into their database. We found an interesting quote in their Campfire logs:

Hamilton N.: Nick Denton Says Bring It On 4Chan, Right to My Home Address (After
The Jump)

Ryan T.: We Are Not Scared of 4chan Here at 210 Elizabeth St NY NY 10012

I mean if you say things like that, and attack sites like 4chan (Which we are not affiliated to) you must at least have the means to back yourself up. We considered what action we would take, and decided that the Gawkmedia “empire” needs to be brought down a peg or two. Our groups mission? We don’t have one.

We will be releasing the full source code dump along with the database at 9PM GMT today. You are the only outlet we have told the release time.”

While initially denying the attack, Gawker has issued an apology to its users on all of its sites, urging them to change their passwords because of the attack. Though passwords were encrypted, simple passwords (such as “password”) may be cracked by group, which has a complete copy of the entire account database.

“We understand how important trust is on the internet, and we’re deeply sorry for and embarrassed about this breach of security—and of trust,” said Lifehacker. “We’re working around the clock to ensure our security (and our commenters’ account security) moving forward. We’re also committed to communicating openly and frequently with you to make sure you understand what has happened, how it may or may not affect you, and what we’re doing to make sure this never happens again.”

If you have ever commented on any of the Gawker sites, we recommend that you go and change your password. What do you think of this rise of Internet hacking groups? Is it better when hacking is done in the dark or when it’s out in the public like this and Operation Payback?

Showing 20 comments

That Guy at 5:36am 14th December 2010 Not to be a grammar douche or anything, but ALL hackers may or may not be from 4chan. They ALSO may or may not be Martians from Outer Space, Paris Hilton, or the entire 1972 Miami Dolphins football team. Just saying.
@JeffreyVC at 8:02am 13th December 2010 Yep. For those wishing to know more, I'd recommend clicking the link to Mediaite, which delved more deeply into the technical details of the hack and has many more quotes from the hackers themselves, who contacted the site. I am no security expert, nor do I claim to be, but attempted to sum up the news as best as possible. The group is not a part of 4chan, but mention 4chan several times. I also did not label 4chan an "attack site," though I did call it the Internet equivalent of a pirate island. Not a software pirate island, but someplace Jack Sparrow would hang out and have a drink. The board is an interesting place. I have no problem with 4chan.
Bob at 7:37am 13th December 2010 In a reply to Jane, it appears that Gawker only did store the hash value in their database. The hash values are still somewhat useful since the hacker can then attempt to guess your password, hash the guessed password, and then compare the two results. If they match then the hacker knows your password. This is how they were able to find out all the users whose password was "password"; because they hashed "password" and the result matched several of the stored hashes in the database.
putti at 7:34am 13th December 2010 Far as i can tell 4chan is just a good site to see some good poontang or maybe some triforce.
1. amidoinitrite at 1:20pm 13th December 2010 ▲ ▲ ▲
Jade at 7:34am 13th December 2010 They have clearly said that the passwords were encrypted: "The passwords were encrypted. But simple ones may be vulnerable to a brute force attack..", and most propably hashed indeed. So it seems that after the bad guys got a hold of the passwords file they were still able to decrypt it. Dont say they had it in plain text, none will believe that.
dash at 7:23am 13th December 2010 Well as a source tells me, #gnosis have strong ties with Anonymous, they're like a cell, their members are made up of 4chan/7chan/711chan/420chan members. And the source is very close to one of the said people.
Jane at 7:18am 13th December 2010 You can always tell when a site doesn't know the least bit of info about passwords, encryption, or security. Sites should *N*E*V*E*R* store anyone's password anywhere. They should instead store a simple 1-hash value of your password. Even if hackers get a hold of the password file, they will never be able to use it... or even ever determine what your original password was. We can even make our site's password-file totally public... and it's still fully safe. My stored encoded password is: 98iuy2hj323g23jksdjfkj25434kj23lsdjfskdj23llkjhhsjsl1y1y1t2g3t What's my actual password? You can never determine it. There's no "decoding" possible, because their isn't any.
1. Amit at 7:27am 13th December 2010 1-hash value password. I'm interested in reading more about it. Do u have a link ? And how does the website authenticate then ?
  1. Jason Bunting at 7:41am 13th December 2010 Google salted one-way hash, you should find what you are looking for.
    Amit at 10:47am 13th December 2010 Thanks
2. Cam Proudlock at 7:44am 13th December 2010 Typically you're right when it's just a Database dump, but they got the source codes as well which includes the very thing that can decode your password. It is possible.
  1. Cam Proudlock at 7:49am 13th December 2010 Let me correct that phase, not so much possible to decode - but very possible to brute force. Most people use a "key" to encrypt their users passwords further - however, once that keyword is found (usually hardcoded in a serverside script aka source codes) it can easily be bruteforced - especially since 80% of the internet has a password like "qwerty" or "54321"
Joe at 7:08am 13th December 2010 Since when is 4chan bad? oh well down goes another website another point to the hackers and or programers lol
ColdBlood at 6:58am 13th December 2010 I dont think this has anything to do with 4chan, Anonymous, Operation Payback or whatever. Anonymous/4chan are not elite hackers like the media seem to think. Operation Payback is done by a downloadable program, no complex skills or knowledge is needed. This is a real hack where the secuirty as been breached, not a bandwith issue like Operation payback. As for commenter above, /b/ has done raids for years, but proper hacking not so much.
anon at 6:56am 13th December 2010 Don't go putting 4chan's name in this without evidence. Especially since the group isn't even Anonymous.
1. antonymous at 8:48am 13th December 2010 It's already proven this has no links to 4chan. Having read their raw output file I can tell you they painstakingly say they are not Anon or 4chan, though they do give "shout-outs" to both. However in their file they are also seemingly link to 4chan as they respond to Gawker's mockery of said chan. "Fuck you gawker, hows this for "script kids"?" But then again this could be a reaction to Gawker being so cocky about 4chan/hackers after the failed attempt over the summer. Just like Anon and Operation Payback were ongoing before Cablegate, but later incorporated it because they felt it was vital to their overall campaign for internet freedom/neutrality - I believe this is what's happening here. Sure Gawker beat a few unorganized trolls over the summer but being arrogant about it only served to attract a much more organized group.
anon at 6:47am 13th December 2010 Since when is 4chan an "attack site"?
1. brad at 7:00am 13th December 2010 apparently after they talk too much S... Looks like they were retaliating to some sort of memo or post of some kind.
  1. akleos at 1:16pm 13th December 2010 4chan is full of cancer.