Last week, somebody broke into Gawker.com and stole 1.3 million account names, e-mail addresses, and passwords — and then posted all the booty on the Internet.
Your online security might not be at the top of your mind this time of year, but most likely you’re doing more Internet shopping. In light of the Gawker break-in, take a few minutes to assess your passwords.
Think you’re immune because you’ve never used Gawker? Not necessarily so. If you’ve spent any time at all on Lifehacker.com or Gizmodo.com — and I bet you have — your passwords may be running around with a giant “kick me” sign on their backs.
A group calling itself Gnosis broke into the Gawker.com servers and stole the site’s source code, employee e-mails, user account info, and much more. Gnosis then rolled that data into a BitTorrent file and sent it pinging around the Internet. According to a Mediaite.com story, the Gnosis hack was meant to rattle Gawker’s self-deluded sense of data security.
If that were the whole story, you probably wouldn’t need to give it a second thought. But Gawker Media Network, owner of Gawker.com, also runs two widely used tech sites: Lifehacker.com and Gizmodo.com. The Gawker crackers picked up user info about everyone who has an account at any Gawker Media site.
In addition to user names and e-mail addresses (used to confirm the registration), the stolen data includes Data Encryption Standard (DES) encrypted passwords. DES encryption is not terribly difficult to break, as a posting by the Intrepidus Group explains in detail. In fact, more than half of the passwords have already been cracked. Duo Security posted a list of the 250 most common, already-cracked passwords — led by the insanely simple “123456″ and “password.”
Weak password security can be costly
While perusing the list is entertaining, the important lesson here is about password use. For example, let’s say you posted a comment on Lifehacker a few years ago. To post the comment, you had to give an e-mail address and password — which, at this very moment, somebody might be decrypting. Now let’s say you’re sloppy and using the same password for PayPal you used for Lifehacker. If a cyber thief has the foresight to sign on to PayPal with your e-mail address and cracked password, you can kiss your PayPal balance good-bye.
If there’s the remotest chance you’ve posted a comment on Lifehacker.com or Gizmodo.com, go immediately to Duo Security’s “Did I get Gawkered” site and enter your e-mail address. (See Figure 1.) If your name’s on the list, change your passwords!
Figure 1. Enter your e-mail address into Duo Security’s “Did I get Gawkered” site and find out if your address and password are compromised.
You, of course, would never use the same password on two different sites. But just in case, now would be a good time to review the strength of all your passwords. In a future column, I’ll tell you about my two favorite password managers and show you how they could’ve saved you from a Gawk attack.
| Feedback welcome: Have a question or comment about this story? Post your thoughts, praises, or constructive criticisms in the WS Columns forum.|
Woody Leonhard‘s latest books — Windows 7 All-In-One For Dummies and Green Home Computing For Dummies — deliver the straight story in a way that won’t put you to sleep.