Add a Comment

nick denton and gawker CTO tom plunkitt apologizeThe hack of Gawker Media has potentially exposed 1.5 million commenter passwords, many of which were used by the commenters on other social networking sites. The password database has been public for less than a day, and it's already led to stolen Twitter accounts spamming thousands of tweets about acai berries. It got up to 10,000 spam tweets a minute at one point, all coming from accounts exposed in the Gawker hack.

The fallout around the web has been enormous. Forbes has the most thorough summary I've seen so far of how the hack happened and what was stolen. The files leaked to the Pirate Bay contain commenter passwords, Gawker editor passwords, a prototype of an upcoming Gawker.com redesign, and FTP passwords from Gawker's contacts at several media companies. It has also come out that Gawker's passwords were encrypted with DES, an outdated encryption standard that was deprecated almost 10 years ago.

That's bad news for people whose passwords are now public, but encrypted. Cracking them isn't a difficult matter. In fact, a firm called Duo Security has started cracking that list of passwords, in order to analyze the data. They've come up with a list of the most-used passwords, and it's pretty embarrassing. Thousands of commenters were using passwords like 123456, password, trustno1 and letmein.

If you want to know whether your password is included in the file that's going around online, Slate has a tool you can use to find out. It'll also tell you whether your password was exposed in plaintext or whether it was left encrypted. Remember, that encryption is no guarantee of safety, and you should change your password either way.

As far as Gawker's reaction, Gawker Media boss Nick Denton has been in the comments apologizing and explaining the situation. Apparently, Gawker wasn't aware that the entire password database had been compromised until after other sites went public with it. At first, Denton thought just the Gawker staff's emails and Twitter accounts had been hacked. As an apology, he offered this photo of himself and Gawker CTO Tom Plunkitt looking duly penitent:


Personally, I had something like this in mind as a Denton apology photo:
urlesque nick denton social network poster


In all seriousness, though, Denton says he plans to invest in security consultants in the future. What happened to Gawker could potentially happen anywhere, though. The big lesson of this whole sad situation is to use different passwords on each site you sign up for, to avoid becoming the next unintentional acai spokesperson.