1.3 million Gawker emails and passwords available in a torrent

By on December 14, 2010, 4:00 PM
Gawker Media suffered a massive security breach on Sunday night after the email addresses and passwords for more than a million members leaked online. A hacker group dubbed "Gnosis" has claimed credit for publishing the information, which is now available as a 487MB torrent download.

"We understand how important trust is on the internet, and we're deeply sorry for and embarrassed about this breach of security -- and of trust. We're working around the clock to ensure our security (and our commenters' account security) moving forward," the blog network said in a FAQ post Sunday.

Users who log into Gawker sites via Twitter or Facebook don't have to worry about their data, and while all of the standard account passwords were originally encrypted, nearly 200,000 weak ones have already been decoded. The WSJ has analyzed the cracked passwords revealing a scary trend.


As we've seen in previous leaks, some of the most popular passwords can hardly be considered passwords at all. More than 3,000 of the decrypted passwords were simply "123456". Nearly 2,000 other accounts were 'protected' by "password", while more than a thousand used "12345678".

Hundreds of other users chose clever safeguards such as "qwerty", "0", "letmein", "passw0rd", and "trustno1" (a reference to the X-Files). If you're bored, The Wall Street Journal has published an anonymized list of the 188,279 cracked passwords on Google Fusion Tables.

All Gawker members should change their password immediately for safety's sake, and you can use Slate's widget to determine if your account has been compromised. Folks using passwords like "123456" outside of Gawker should exercise a little preemptive damage control and change those, too.




User Comments: 20

Got something to say? Post a comment
lawfer, TechSpot Paladin, said:

123456...

Really?

lchu12 lchu12 said:

One word: "owned"

Emin3nce said:

i mean, figuratively

0n3tw0thr33f0uRF1v3s1XXX is a good password... but, **** you leetspeak.

mario mario, Ex-TS Developer, said:

My account was compromised, I even downloaded the torrent to recheck

KarbonKopy said:

They got mine, but only my username and email, my password is just gibberish. Good luck cracking that heh....

trparky said:

You mean to tell me that the passwords weren't encrypted? WTH?

Staff
Matthew Matthew, TechSpot Staff, said:

"Users who log into Gawker sites via Twitter or Facebook don't have to worry about their data, and while all of the standard account passwords were originally encrypted, nearly 200,000 weak ones have already been decoded. The WSJ has analyzed the cracked passwords revealing a scary trend."

madboyv1, TechSpot Paladin, said:

I don't log into any of those sites, but it's still scary stuff. the 12345/123456 passwords remind me of Spaceballs... lol

Guest said:

First they expose my password to hackers, then when I go to delete my Gawker account (which I haven't used in ages), I get the following:

"We understand how important trust is on the web, and some of you may wish to delete your Gawker Media account. Currently account deletion is not available. We will, however, give you this option as soon as possible."

Which I translate to:

"We understand how important it is for us to keep our numbers up, and we're scared s---less that a significant portion of our readership is going to abandon us, so we're not going to allow them to do so."

Nice ethics, Gawker

Guest said:

They won't allow account deletion probably because who knows who might have access your account (passwords were stolen right?) and delete it.

Staff
Matthew Matthew, TechSpot Staff, said:

Aye. I'm sure there are plenty of reasons why they wouldn't let you delete your account at the moment. Slow down on the assumptions and be patient.

madboyv1, TechSpot Paladin, said:

The most likely reason they don't want people deleting their accounts is since the user data is floating out there, anyone who can decrypt passwords or has a list of decrypted passwords could go to the site and start mass deleting users as an act of vandalism.

Locking the delete function is likely to keep that from happening, though I suppose such a measure is a shoddy one at best, and those who have control over compromised users can vandalize these sites with spam/ad posts... it's basically a lose lose unless they can come up with a way to figure out which user/computers are the legitimate owners of the account.

Also, this comic is quite relevant lol... http://xkcd.com/792/

edit: that's what I get for sitting in the post reply page for an hour... lol

Kibaruk Kibaruk, TechSpot Paladin, said:

I find this more than good, first to let the companies that manage our passwords and private data to keep security at bay and not take anything for granted, on the other hand a facepalm for dumb users who think their passwords are clever, the only thing thats left right now is iamgod or superuser or crap like that.

I once read a good way to make secure passwords and that way is to think of a phrase like... My birthday is January 10 and I was born on 1990, and get first letters and numbers, MbiJ10aIwbo1990 for example.

Guest said:

Just adding an uppercase letter, or a symbol or a mix of letter and numbers would make a huge difference, even to these simple passwords. It seems though like passwords may no longer be the best way to secure logins. Maybe we need to use certificate based logins or some other method.

j05hh j05hh said:

rofl, i can't help but laugh at people who choose passwords like 123456 or "password" common people. Get with the 20th century.

Guest said:

Damn and I was so sure my password was on the list. So what the hell was it ? I hope they crack it soon lol.

Zilpha Zilpha said:

We just need another "Hackers" movie to raise awareness. I don't see love, sex, secret or god on there.

But still - just wow. How can people really be that careless?

demonlord721 said:

For those of you who got the message "Deletion of accounts is no longer available" that is for your protection not for gawkers statistics, if the hacker decided to they could have gone in and deleted everyones accounts.

Guest said:

How is a hacker deleting my account worse than a hacker using my account to spam the comment forums? If I keep my account and use a new password, why should I trust Gawker to protect the new password on my account better than they did the last one? I want out. Let me out.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.