Lifehacker’s publisher, Gawker Media, suffered a severe network breach and the responsible party published the usernames and hashed passwords of 1.24 million readers at Lifehacker and beyond this weekend. 200,000 of those readers’ passwords were decrypted. It’s late on a Sunday night, and already spammers are using the login details to tweet links from Twitter accounts which use the same username and password as the Gawker accounts. Likely this is just the beginning. If you’ve ever had an account on Lifehacker, change your password. If you use the same username and password on other sites like Twitter or Facebook, change it there, too. Here’s Lifehacker’s full FAQ on the situation.
12 Comments
AJ Robins
These days, given how easy it is to have multiple passwords, it really doesn’t make any sense to use the same password more than once. You (Gina) even gave one example of how to do this. I did change my Gawker password, just in case, even though (1) it’s unique to Gawker, and (2) it’s not in a dictionary, even in mangled form. I think the issue here is that, given the availability of hashed passwords, brute-force password guessing might now be viable for many passwords (I’m thinking GPU processing, here).
Siira
Like you tweeted, there are way too many users using dictionary words or very easy to guess passwords. I don’t know what “24862486” means to Nick Denton, but certainly it’s a low security password. I don’t know what #gnosis used to gain access in the first place, but considering the passwords from gawker staff (which are in the readme.txt of that torrent), it could not have been hard to “guess” any of them.
Let it be a reminder for those of us not already using something like Lastpass and using different passwords for every website to get an addon like this and start changing passwords everywhere.
Jimmy Blake
Well, that certainly gave me the push I needed to finally bite the bullet on getting LastPass.
I do have a stupid question though, and I’m not sure if you know or not Gina, but I’m really curious as to whether Lifehacker actually stored passwords in a directly decrypt-able format or if this is a case where hackers got the md5 and salt of each users password and was able to brute force out the likely collisions from there?
If passwords were really stored in a directly decrypt-able format… well, that kind of scares me.
Pies
Another point for federated logins, like Facebook Connect or ‘Sign in with Twitter.’
Seriously though, are they brute-forcing the passwords, or were they stored in a non-secure way?
Gina Trapani
The passwords were stored encrypted, but they were able to brute-force the simplest ones. That’s why 200k of the 1.24M are unencrypted.
Jimmy Blake
Thanks for the clarification Gina. That makes me feel a little more secure about this one, as my password wasn’t exactly a dictionary word, but I’m still glad I’ve generated new passwords through LastPass for everything.
Just a note: you may want to nudge Lifehacker to clarify this one too, as I think the site is looking worse than it has to for this, as the way everything reads at the moment, it was sounding like passwords weren’t hashed and were actually decrypt-able directly instead of through brute forcing them individually.
rogowar
It’s nice they alerted everyone, but I’m unable to change my password, the save fails every time.
Siira
To add to the encryption part. For what I have read it’s actually DES that is being used. So the passwords are encrypted, but it is an old encryption mechanism.
Nevertheless, it’s always best to keep stuff contained no matter how good the service is in keeping your data private. My policy is to always expect the worst and act accordingly. In this case, using a hard-to-guess password and using Lastpass to help me remember them. 🙂
AJ Robins
Yow, I haven’t been reading the details, but I really, REALLY hope that they weren’t encrypting the passwords, but were using hashed passwords, instead. For passwords, there really isn’t any reason to use an encrypting/decrypting mechanism, and so hashes are more secure. Also, I’d hope that, if hashes were really used, they’d be adding at least one item of salt to each hash; however, given the seeming ease with which so many passwords were apparently brute-forced, maybe not.
AJ Robins
(Responding to myself.) Duh, I need more coffee. I’d forgotten that the entire database was compromised, and so the attackers would have any pieces of salt. Double duh.
ouroborosx
People are talking about users using bad passwords but lets not forget who’s fault this is. It’s gawker’s fault for having such bad security in the first place. How the heck do you get your whole password file stolen? That’s out in the early 90’s
Lastpass sounds okay, until their password file gets stolen?
I’ll keep doing it my way. A couple of very good passwords for the things that matter and one or two passwords for the throw away stuff like commenting on websites.
But again, how did Gawker have the password file stolen. It’s such a joke.
Beelev
Kind of stunning that the first inkling I had of this was logging into FB I was told that someone else had accessed my account last night. How they got from a to b do not know or understand. Picture, email accounts, etc., all vulnerable. Working backwards I found an email not from Gawker, but from “teamhint”. Gawker email showed up 12 hours later. Hard to understand why Gawker/LH/Gizmodo were so arrogant with our information.