Nick Douglas holds up a sign saying 'change your password' on Nick Denton's Flickr account

If you've got a commenter account on any Gawker Media site, change your password. Gawker Media's entire commenter database was hacked on Saturday by a group called Gnosis, and over 250,000 passwords were posted on The Pirate Bay.

To make matters worse, Gnosis posted a link to the files on Gawker's homepage. Hundreds of people have now downloaded them. The entire database of 1.2 million or so usernames and passwords is also online, just waiting for someone to decrypt the rest – with widely available software, says a source.

Below, we'll explain what everyone needs to worry about, and how Urlesque editor Nick Douglas took over Nick Denton's Flickr account.

[UPDATE: Read Gawker's FAQ.]

Sunday afternoon, a rumor went around that Gawker's commenter accounts had been hacked. Gawker's director of editorial operations Scott Kidder tweeted:
There's no evidence to suggest any Gawker user accounts were compromised, and passwords encrypted / not stored in plain text anyway.
Soon after, the hackers posted the list of accounts and passwords, then linked to it from Gawker's own site. Kidder had been gravely mistaken, and now hundreds of thousands of commenters are in danger of identity theft.

What Happened?

The leaked passwords have been confirmed as legitimate (see below), and Gnosis also hacked into the site's backend – where they put up a bogus post using the account of Adrian Chen, Gawker's blogger on the 4chan beat.

Gnosis claims that Gawker's security has been beefed up since the initial attack, but the real danger here is that the exposed commenters used the same email/password combinations on more important accounts, like their banks and email. (Hopefully the 1,959 people whose password was "password" weren't using the same brilliant choice on their Hotmails.)

Anonymous commenters who used identifiable email addresses could also have their identities exposed, which pretty much defeats the purpose of allowing anonymous comments.

Gawker head honcho Nick Denton is one of those who reused his Gawker password elsewhere, as Urlesque editor Nick Douglas found out when he logged into Denton's Flickr account using info from the leaked database.

As you can see in the image below, Douglas posted a photo that both proved the password had been leaked and warned Denton's contacts to change their own. He then changed Denton's password and sent him the new one [I'm a nice guy! – Ed.]. Denton responded by email: "Cheeky!"

It's actually quite a serious situation, though. This could happen to anybody who used the same password on Gawker and another site. Gmail and Facebook accounts could be compromised. Even more troubling are the .gov and .mil email addresses on the list. We can only hope those folks had the good sense to use unique passwords on Gawker.


It's good that Denton is taking it well, but this definitely calls into question the wisdom of inviting hackers to attack your media empire when your own passwords aren't even secure. In fact, a member of Gnosis says in an interview with Mediaite that "we went after Gawker because of their outright arrogance."

Gawker has a history of taunting Anonymous, the hooligans of 4Chan's /b/ board who helped bring down Visa and Mastercard websites with a DDoS attack last week. Last month, Gawker mocked 4chan's internet catfight with Tumblr, and just days ago, Gawker's Adrian Chen posted "The Top Three Myths About Anonymous." Chen argued that Anonymous lacks any real hacking skill, and barely has the brains to operate point-and-click DDoS apps. Gnosis, the group behind the Gawker hack, isn't affiliated with Anonymous, but it took issue with Gawker's dismissive attitude toward Anon and hackers in general, and decided to send a message.

Apparently, Gnosis had also begun monitoring the Gawker editors' internal Campfire chatroom, and saw the editors suggesting joke headlines like, "Nick Denton Says Bring It On 4Chan, Right to My Home Address (After The Jump)" and "We Are Not Scared of 4chan Here at 210 Elizabeth St NY NY 10012."


What Happens Next?

According to an independent security expert, it's hard to tell what the point of entry was in the Gawker attack. Because they reused passwords and kept plaintext passwords in their Campfire account, there were multiple places a hacker could have found a way into the Gawker user database and the CMS. Our source recommended that Gawker update its password algorithms immediately, conduct a security review, and possibly bring in third-party security consultants. This is probably sound advice, considering that this isn't Gawker's first major security failure.

As for what users can do to make sure their accounts aren't compromised, they can start by following Gawker's advice and changing their Gawker passwords, as well as changing passwords on any other sites where they used the same login credentials. If you think you might be on the leaked list, you can always download the torrent and check for yourself.

Gawker posted a notice across their blog network about the hacked accounts, but they disabled comments. Gawker commenters complained in the last comment-enabled post on the blog. User "dotsandlines" said:
Gawker seems oddly uninterested in telling anybody about it other than the little message above. No mass emails, no twitter or facebook messages, and no commenting on the post about the hack.
Good question! Given the serious nature of the hack, should Gawker email everyone whose account was exposed and warn them that they might lose far more than their favorite Gawker comments?

Denton gave no further comment, but Kidder says Gawker will "be posting a FAQ shortly." As of 1:15 AM, seven hours after Gawker admitted they'd been hacked, "shortly" might not be soon enough for the thousands whose passwords are now up for grabs on the internet.

(As of the next morning, the FAQ is up, no comments allowed.) Additional reporting by Nick Douglas