How Does The Gawker Privacy Leak Concern Consumerist Users?

If you’ve got an account on Gawker.com or any of its sister sites (Kotaku, Gizmodo, Deadspin and Jezebel among others), you’ll probably want to change your passwords because anonymous hackers have swiped usernames, email addresses and passwords and made them available via a torrent file. And by change your password, we potentially mean all of them. Now.

Because the hackers have been able to decrypt passwords used on the Gawker network, you may be at risk on other sites if you’ve used the same user name and password on those sites. This includes sites like Twitter, Facebook and, yes, Consumerist.

When Consumerist left the Gawker network, passwords were not brought over, and all users were asked to reset their passwords in order to post comments here. However, if you reset your password to the same one you used on Gawker, you should change it here as well.

To change your password, click on your user name in the upper right corner of the page, then go to “Edit My Profile.”

From a Gawker post lamenting the incident:

Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords.

We’re deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. And, yes, the irony is not lost on us.

Anonymous Hacks Gawker Media Properties in Support of WikiLeaks? [Village Voice via Slashdot]

Commenting Accounts Compromised — Change Your Passwords [Gawker]

Comments

Edit Your Comment

  1. spindle789 says:

    The internet, how does it work?

  2. SomeWhiteGuy says:

    Meh. I use a small subset of passwords/usernames for social media and blog sites (like this one) but a completely different set of emails, passwords for my important stuff like banking and consumer stuff. What surprises me is that they haven’t thought of including a way to delete accounts, but have chastised facebook for burying the link to delete accounts in their FAQ.

    • magus_melchior says:

      I’ve looked at the dump, and the authentication security is horrendous– passwords are truncated to 8 characters.

      In other words, it doesn’t matter if your password is 32 characters long, because the database and/or application cuts off the trailing 24.

      That might be a result of an optimization decision, but it makes it much easier to crack the passwords.

      • FatLynn says:

        But wouldn’t it then mean that the password couldn’t be used elsewhere?

        Like, if your password was “mymiddlename”, and they only used “mymiddle”, wouldn’t that prevent the hackers from using your password at site where it is “mymiddlename”?

      • GuyGuidoEyesSteveDaveâ„¢ says:

        Not sure if that is true. I have a 10 character password and have entered the first 8 correctly, and messed up on the last two, and was given an incorrect login message.

        • Shadowfax says:

          Are you talking about your Gawker password, or your current Consumerist password. Presumably the reason we had to change our passwords when Consumerist left gawker is because the password database changed, which means it may no longer have the 8-character limit.

      • Rena says:

        Eugh! Tell me they’re at least using DES.

        I use ridiculously long randomly-generated passwords stored in an encrypted database. (You might say I make my own passwords at home?)

  3. Mr. Fix-It says: "Canadian Bacon is best bacon!" says:

    Might start up another throwaway e-mail account. Other than that, I’m not particularly concerned, as Gawkernet doesn’t have any information that couldn’t be obtained from elsewhere, like Fasebawk.

    • Kevin411 says:

      I didn’t think I had a Gawker account and didn’t do anything. Now, 11 hours after this Consumerist article was released, I just received an email from Gawker that I do and should change my passwords. Thanks for the prompt heads-up there folks. I’m glad Consumerist broke away.

      • David in Brasil says:

        My Yahoo account was compromised last night. I’ll spend a good chunk of the day changing passwords.

  4. LeonardoLeonardo says:

    “Because the hackers have been able to decrypt passwords used on the Gawker network”

    I’m pretty sure they’re saying that the passwords that were dumped were encrypted, but simple ones CAN be brute-forced. And, realistically, all of them can probably be brute forced with enough time and resources, depending on the encryption scheme. Still, in general, it’s good practice to use a complicated password as if someone WILL get the encrypted version.

    • freelunch says:

      as I understand it, the gawker network is using DES with only the first 8 characters of your password captured and encrypted.

      This is 1980’s style security…. totally awesome.

      • racshot65 says:

        I can’t tell if your joking please say you are ?

      • Mobius says:

        From the hacker’s “manifesto”

        “Gawker uses a really outdated hashing algorithm known as DES (Data Encryption Standard).
        Because DES has a maximum of 8chars using a password like “abcdefgh1234″ only the
        first 8 characters “abcdefgh” are encrypted and stored in the database. If your
        password is longer than 8 characters you only need to enter the first 8 characters
        to log in!

        YA DONT SAY!! :D?

        Because of this we were only able to recover the first 8 characters of someones password!
        If the password is 8 characters long there’s a good chance that it migt be longer
        than 8 characters! But still, there’s 1000’s of people using 1 – 8 character passwords
        for us to have some fun with!”

        What this means is they can brute force the first 8 characters of ALL the passwords. Some people may have been providing longer ones thinking it would make a difference. If your password was 123456789, You could type 12345678 and still be able to log in. The decrypted output would only show 12345678 which wouldn’t help a hacker log into another account of yours on a site with more sophisticated password handling.

    • Michael Belisle says:

      There is a file in the torrent with about 200,000 plaintext passwords, presumably found by brute force. If your password was easy (e.g. six or fewer characters, a dictionary word and number combination) it’s already out.

  5. Ouze says:

    I already keep one set of credentials for “untrusted” sites, another one for my banking stuff, and finally, a seperate one used for my email, none of which are the same.

  6. SiddhimaAmythaon says:

    lastpass.com and spamex.com for the win.

    • notovny says:

      Aye. Quickly confirmed that my Gawker Media password was unique in my password stable, as I’ve been using unique randomly-generated passwords for any and all non-critical accounts. Changed it anyway, of course.

      Even if you aren’t willing to trust a password manager with your most sensitive accounts, I’d say they’re worth it to completely eliminate the temptation to reuse those or other passwords on non-critical accounts of unknown or dubious security.

  7. racshot65 says:

    Why were they not being stored as salted hashes ?

    • Raekwon says:

      They were stored encrypted but the hackers have already cracked all the admin ones and anyone who wants to can download the hashes off bittorrent and crack those. It’s really not that hard. Some more complex password however may take a while.

      • racshot65 says:

        But if you salt them with a random 64 character salt then put them through SHA256

        It doesn’t matter how crappy someones password is from a hash cracking stand point as you have the super random 64 character salt in front ?

        • Shadowman615 says:

          They also had access to the source code (according to the mediaite article) which means they would have known the salt.

          • scottboone says:

            Umm, no. The “salt” should be randomly created for EACH password created. As Racshot65 pointed out, by using a 64-bit salt and a sufficient encryption function, the “effort” to brute-force a password becomes (at current tech levels) pointless. Using a single salt for all passwords stored on a system would be dumb, since that would basically not make it a “salt” anymore.

            • Terron says:

              If you have access to the database, then you will have the salt (it has to be stored in order to verify the user’s legitimate logins, after all).

              Salting protects against rainbow table attacks (pregenerated hash tables) which will protect the group as a whole, but if they really want a particular person’s account and that person has a crappy password (such as, say, an 8 character password)

              • racshot65 says:

                Yep and it also prevents recognition of the same passwords within the database as even if two people use “cat” when combined with the unique salt it will produce a different password

            • Shadowman615 says:

              OK, but even with a random salt for each password it still has to be stored somewhere.

        • Raekwon says:

          Common simple passwords are still easy to brute force. 2700 people at least used ‘password’ as theirs. The site was also not using anything near as strong. I have heard they used DES on the first 8 characters.

    • Shadowman615 says:

      This was the first thing I thought about? From reading the mediaite article about it with statements from one of the hackers it would seem all the passwords were stored in plaintext in the database. They also commented that gawker seemed to have the worst security they’ve ever seen, so I guess that’s fitting.

      I can’t believe they didn’t bother to even take that single precaution though. That’s password security 101. You have no business creating a public-facing site that stores usernames and passwords without at least following basic procedures like that.

    • Overheal says:

      In all likelihood they were. But salted hashes are demonstrably penetrable. Boards.ie was the victim of a similar hack attack in the first half of the year. They also used a salted hash on our passwords but the table was still stolen, and eventually decrypted inside of a day, or two at most. Several people got stung financially when they lost control of email and paypal accounts.

      • racshot65 says:

        As I posted before if you used a random 64 character salt and strong hashing algorithm then theres so many possible combinations you cant brute force them before the sun dies independent of how crappy a users password is

  8. SkokieGuy says:

    Please accept this as notice that all posts under my name with misspellings and grammatical errors were posted by hackers who have illegal accessed my Consumerist account.

  9. crazedhare says:

    Coming off this news, I would like to delete my Consumerist and Gawker media conglomerate profiles. The Gawker mafia is not giving folks the option to do this, though they vaguely seem to suggest they might. Any sense of how to do that through Consumerist?

    I’d like to use this as an impetus to stop wasting time on this stuff. It’s a major procrastination issue for me, and I’ve even been procrastinating closing up the accounts. Now that there’s an issue, it’s a good time. Go into 2011 without all this nonsense.

    • gStein_*|bringing starpipe back|* says:

      you do know that consumerist is no longer a part of Gawker, right?
      consumerist readers are only affected if they have an account at one of the other gawker sites, or signed up with consumerist before it was transferred to Consumer’s Union control.

      • crazedhare says:

        Yes, I do. So can you answer the question I actually asked?

        • Shadowfax says:

          Even if we knew the answer, which beyond calling up the Consumerist and telling them “Revoke my access to the site” we don’t, why do you think it would do any good.

          You don’t seriously think web entities actually physically delete all data when you cancel your account, do you? The data is still there for recordkeeping purposes and on message boards so that your posts remain and don’t screw up the flow of discussion. If you want to, erm, “delete,” your account, change the password to a long random string and don’t write it down. It’s just as effective as the supposed “delete” button.

          • crazedhare says:

            “I’d like to use this as an impetus to stop wasting time on this stuff. It’s a major procrastination issue for me, and I’ve even been procrastinating closing up the accounts. Now that there’s an issue, it’s a good time. Go into 2011 without all this nonsense.”

          • crazedhare says:

            Also, with password recovery if the account remains open the password can just be resent. It would be better for me to not have an account. If they can’t delete it for me, I’ll just spam comments or threaten someone and get it banned or something.

            • Shadowfax says:

              So you’re going to disrupt other people’s property in order to force them to help you wean yourself off the internet? Digital suicide by cop. Seems to me you’d be better off taking care of the procrastination problem yourself rather than trying to force the rest of society to handle it for you.

              • crazedhare says:

                What the hell are you talking about? Consumerist disables commenting accounts all the time, it appears to cause them no disruption whatsoever.
                At any rate, I have sent them an email with the request.

              • crazedhare says:

                Also – removing access to time wasters *is* me dealing with the procrastination problem. Just like someone starting AA pours out their liquor, rather than keep it around as a temptation.

                • Shadowfax says:

                  Yes, I understand that. But the alcoholic pours out their own liquor. They don’t call The Consumerist to come pour it out for them.

                  If your particular issue is, as you say, one of self control, then expecting the world to set itself up to eliminate your chances of losing control does not address the issue.

            • notovny says:

              So change the recovery address to a nonexistent address (Consumerist doesn’t check) then scramble the password as mentioned above.

              • crazedhare says:

                Eh, honestly, between the three options of having Consumerist take care of it, getting the account banned, and bizarre gymnastics where it remains open but inaccessible, the latter wouldn’t be my first choice. But it’s definitely a step in the right direction.

    • minjche says:

      According to this …

      http://gizmodo.com/5712981/commenter-qa-were-here-to-help

      … the tech folks behind Gawker are working on a feature to delete your account. There’s no word on when it’ll be available.

      I hope you don’t delete your Consumerist account though, I like your comments!

  10. El_Fez says:

    Hey! My laziness pays off! WOO! Some time ago, I started posting from a new computer that didn’t have my password saved, so I had it reset to whatever temporary random string Gawker sends you – and I never did set it back to my “normal” password.

    So huzzah! I’m safe!

    • chiieddy says:

      Your password was still grabbed and you’ll want to change it from whatever it was yesterday on Gawker’s site to something new.

  11. chiieddy says:

    KeePass for the win. I was able to confirm my email was on the list of compromised accounts. Gawker hasn’t been very forthcoming, but Twitter’s @spam account was reporting linked Twitter accounts were being used for the acai berry worm. So, you’ll want to change you password on any accounts you had linked on Gawker. For good measure, I changed my gmail account password as well.

  12. Thomas Palmer says:

    supergenpass.com FTW!!!

    Basically it is a bookmark that has javascript in it and it uses the website’s URL to salt a “Master” password and automatically fills in the password fields.

    • Oranges w/ Cheese says:

      Just use passwordmaker’s firefox addon.

      • Thomas Palmer says:

        This javascript bookmark can be used in any browser, and they have a mobile page on their website to use on handheld devices.

        While Firefox is my browser of choice, I try not to limit my possibilities.

  13. racshot65 says:

    Anyone reading this and not using super strong unique passwords for any site should really look at LastPass
    http://lastpass.com/

    Steve Gibson looked at the security of it on an episode of Security Now and gave it the thumbs up
    http://twit.tv/sn256

    • scottboone says:

      I agree. It boggles my mind that the OS communities haven’t all adopted a common framework for doing this. Right now, the biggest headache for me and using LastPass or SuperGenPass is my iPhone. If I’m on the road and need to access something, having a crazy/big/secure password can be a p-i-t-a. I simply don’t understand why the OS doesn’t do the work for me.

      • Ricky says:

        Export your Lastpass passwords to a csv file. Then (after you adjust the columns to match) import into Keepass. You can then export your Keepass database file to the iphone Keepass app. I do this on an android phone with dropbox to keep the database file synced.

      • notovny says:

        Lastpass offers bookmarklets for your mobile browser (or other javascript-using browser) if you don’t want to pay, and mobile apps if you do.

    • mac-phisto says:

      i use a keygen now (keepass) & change both master & site-specific passwords at least 4x/year, but my main complaint is that most sites don’t support password strength above what – 40 bits; 64 if you’re really lucky? most of the sites i use (banks included) don’t support full-range ASCII, want less than 10 (or maybe 12) characters & there are still many sites that don’t even distinguish case. these all dramatically increase the likelihood that your password – no matter how random or secure – can be hacked.

  14. GMurnane says:

    If we joined consumerist.com after the switchover, we aren’t effected are we?

  15. Overheal says:

    Thanks to Consumerist and Gawker for the Honest heads up. Not the first time one of my favorite sites was compromised, its just the rate at which hackers change the rules of the game it seems.

    It certainly looks like the Hackers changed my password on Consumerist, and when I went to retrieve it from my email account that I registered with – it had been put into lockdown for suspicious activity – presumably bruteforce attempts based on alterations of my password here, which wouldn’t have worked.

    Folks, always give your email addresses, bank accounts, etc. their own individually unique passwords. I know a lot of people will be caught out by this. When Boards.ie got hacked earlier in the year many people I know that registered their bank accounts with the same email and password information got toasted. And a lot of people lost some of the accounts they registered under the same address: hackers just do a password reset with your own email address and assign it to another email address.

  16. dolemite says:

    Pretty annoying. I have a cheap default username/password for news/social sites, and real passwords for financial/email, but…how am I going to remember all of the “crap” websites I go to that I have the simple password for? Eh….

    • Raekwon says:

      This is exactly my problem. Throwaway passwords are used for places like Gawker sites but I can’t remember all the places I randomly signed up with for sweeps and newsletters or just to check out stuff.

    • racshot65 says:

      LastPass or KeePass are pretty good.

      LastPass is super easy to use but if you dont trust them use KeePass

      • dolemite says:

        Yeah, I have a password manager for all of my important sites, and strong passwords, but I don’t track the probably 100+ junk sites that I go to infrequently that I pretty much use the same password for.

    • trentblase says:

      I used this as an “opportunity” to change to a new system. You can make your own mental hashes, that aren’t super secure, but will still save you some headache. I use something like:

      (first letter of site) + (constant password string) + (last letter of site) + (number of characters in site * some constant)

      It means it takes 20 seconds to enter your password, but it prevents a computer program from using your other accounts. It probably won’t stop a human targeting your account specifically, because they can probably figure out your mental hash (unless you construct it very well… more complicated is harder to crack but also harder to execute).

      By the way, just for fun, here are the top passwords from the dump (the first number is how many accounts used that password). It’s pretty much what you expect, so I don’t think there’s harm in posting it. I checked the dump to see if my password was compromised (it was).

      3057 123456
      1955 password
      1119 12345678
      661 lifehack
      418 qwerty
      333 abc123
      311 111111
      300 monkey
      273 consumer
      253 12345
      247 letmein
      241 trustno1
      233 dragon
      213 baseball
      208 superman
      202 iloveyou
      202 1234567
      199 gizmodo
      196 sunshine
      194 1234

  17. Franklin Comes Alive! says:

    My Facebook account got hacked yesterday. Coincidence? Doubtful. Gawker can eat a dick, especially with there ‘don’t worry, everything is encrypted, nothing else is compromised’ BS line they are spewing right now.

    • Oranges w/ Cheese says:

      Mine too. Nothing was changed, lucky me. Got the pass updated anyway. Facebook isn’t important. I’m just glad that my bank, paypal, etc are all different passwords.

      The problem now is all the myriad trash logins I have elsewhere that may get compromised now.

    • speedwell (propagandist and secular snarkist) says:

      Interesting. Three or four days ago, I had someone attempt to recover the password from the e-mail account I use to log in here. They didn’t succeed, and I changed my password on the e-mail account anyway to be on the safe side. I see that my account was in the list of stolen accounts, but I don’t know how to see whether my actual password was also compromised (it was longer than 8 letters).

  18. chefboyardee says:

    What is wrong with people, how can a network this big not be using salts when encrypting passwords? Even during a data breach these passwords should NOT BE RECOVERABLE.

    • Raekwon says:

      They were encrypted. Problem is everything is recoverable given the time and processing ability.

      • racshot65 says:

        Really Random 64 character salt and SHA256 is not breakable before the sun dies based on modern processing power

        • kingmanic says:

          since they had the site code as well all you have to do use a script to run the authentication against the db against a dictionary of passwords and it’ll crack that one. Make a table of that and do a look up for that has on the password table and now you found everyone else who used that password. username and email. Apparently Gawker didn’t use unique salts for each user.

  19. scottboone says:

    Which brings us to the $64,000 question: how is my Consumerist password —CURRENTLY— being stored?

    We have some geeks here, use techie terms…we’ll understand.

  20. Its_Miller_Time says:

    This might be the “kick in the ass” I need to change my passwords… Luckily I used an old password but I still might want to update them I guess! :-) Any way I can check to see if my email address was on this list?

    • Oranges w/ Cheese says:

      There’s a link on the lifehacker post. It is an old password for me as well, my bank, paypal, ebay etc have been random passes for a while. They still got into my facebook account. Not cool :(

  21. DanRydell says:

    Hey, you know how you always criticize companies when they don’t notify their users about a security breach? Why hasn’t consumerist.com e-mailed me yet? I know the breach happened at Gawker, but you know that a huge number of your users moved over here after the move from Gawker. You should e-mail all of your users and give them the information in this post, because there are very likely people who no longer read your site who would be affected by this.

    • outlulz says:

      Well it’s not really their information to e-mail all their members about what another company did. They are no longer affiliated. And if they no longer read this website then their password wouldn’t work since everyone’s passwords were reset a few months ago.

      • DanRydell says:

        1. Yeah it is something that Consumerist.com should e-mail their readers about for the reason I already explained. Many of us were readers when Consumerist was still part of Gawker, our information is still stored on their servers, and it was stolen. The response should not be “it’s not our fault, so we don’t need to notify anyone.” The response should be to err on the side of caution and e-mail everyone, especially because Gawker HASN’T. Consumerist is capable of contacting us, they know many of us had our information compromised, there’s no reason they shouldn’t contact us.

        2. The problem is when people use the same password on multiple sites. It doesn’t matter if it’s an old password that won’t work here, most of us wouldn’t care if our consumerist.com account was accessed by someone else.

        • outlulz says:

          None of the passwords from the Gawker website were carried over to Consumerist. This is in no way the responsibility of Consumerist. If you use the same password for everything that’s your fault, not Consumerist.

  22. Pax says:

    Yep, I’ve got an account at Kotaku, one of the Gawker sites. And as a result of the hack, and some advice being given there: I now use LastPass to manage my passwords, and will slowly migrate to using a unique password for each website / account / etc.

  23. FunnyAboutMoney says:

    My username is not a live link. So…how do I change my password on your site?

    • SG-Cleve says:

      I have the same problem. There’s something that has always been odd about my account. In addition to having my name show up as black text instead of a red link, I can never log in to the site. I always need to do a “password reset”, which sends a new password link to my email address.

  24. Torchwood says:

    Hey, hackers, my password for this board is Bk.UV`.o3j1~5I=KSrXy6PcdiSrc_Q6|&%j-Dt’)898|ZH>A(S^besV;9]HS . Go have some fun now.

    In all seriousness, I manage my passwords by using KeyPass. While my password file (along with a portable version of KeyPass) is stored on my USB drive, it is backed up regularly using FreeFileSync.

    There are alternative ideas out there. This is the one that works for me. Your mileage may vary.

  25. kingmanic says:

    What they do to decrypt the password DB is since they have the verification code as well they just code up a script to pass in words from a common password dictionary and run it against the password DB. Since Gawker didn’t salt the password with unique salts it means that once they break 1 guys password they’ve got a look up for every person who used the same password. You can eventually build a table with a password and account emails/usernames that also have that password.

    So with enough time and a big enough dictionary they will break every password. Since passwords are commonly around 8 letters long and only around 94 characters (uppercase, lowercase, common symbols) brute forcing will take a bit of time but many people use passwords that may exist in a dictionary. I know I was perturbed to see my username show up in old plaintext site dump from an unsecured site. Fortunately it was a very old and very crappy password but i’m sure someone has harvested it for a dictionary attack.

  26. Oranges w/ Cheese says:

    Be careful, looks like people have actually been accessing things. Nothing of mine that is important was accessed, but I got a few notifications from some throwaway accounts today that had been accessed with less-than-ideal credentials. They were similar to my gawker stuff.

  27. crazedhare says:

    What the hell are you talking about? Consumerist disables commenting accounts all the time, it appears to cause them no disruption whatsoever.

    At any rate, I have sent them an email with the request.

  28. SexCpotatoes says:

    I’m reposting my comment form Jalopnik and Gizmodo (where I have a star) since it may disappear.

    “What is being done about the contemptuous pricks in charge who see the users of your site(s) as ‘unimportant’ and ‘peasants?’

    Data breaches happen, and hopefully more attention is being paid to site security and keeping things safe and updated.

    But when people whose jobs depend on the eyeballs of the sites’ loyal reader base hold the users of their site in such little regard, then I feel there need to be SERIOUS changes in leadership from the top down.

    You are lucky to have us here. And not allowing people to cancel/delete their accounts after they’ve lost their trust in you DOES NOT show the slightest remorse on your part. So you are going to lose our passwords and email addresses, THEN hold our accounts HOSTAGE by not allowing their deletion for those who want to leave?

    This comment may lose me my star, or get me banned outright, as well as disappear. So read it while you can, commenters. Thank you.”

  29. ndonahue says:

    I’m kind of happy about this — a low risk site hacked is just enough incentive for me to complete the transition to lastpass and change the old passwords that are still lying around (like Gawker) to random 10 character passwords.

  30. venomroses says:

    Heres what’s weird for me:

    I have never posted on another gawker site, just this one (when you guys were still with them…) But I got a weird “from the team at hint” email ? Wtf? It says “In situations like this, time is of the essence, which is why we were surprised & shocked to find that Gawker Media hadn’t taken the initiative to notify you of this privacy breach immediately. We HIGHLY recommend you change all of your online passwords as a precaution”

    Kind of strange….

    • crunchberries says:

      You might wanna change your password. I’m in the same situation as you are where I only signed up to the Consumerist, but still got the email. Turns out my account name and email address are in the database, but my password hasn’t been compromised. I just changed it anyway; better safe than sorry.

    • khisel says:

      I also received an e-mail from Hint.io sent to an e-mail address only known to the consumerist! So, somebody has definitely broken into something.

      • venomroses says:

        I was just reading around that some people weren’t happy with the gawker not emailing people and so they were emailing people whose email addresses they found in the file. So thats what that hint.io email was about.

    • venomroses says:

      Yeah, I just changed my password anyways, just in case.

  31. Lukecadet says:

    I still haven’t gotten a notification email from GAWKER. I did notice though that my cheesy password didn’t take long to be found. This is a huge threat as many netizens unwisely use the same username and password on many sites.

  32. Thyme for an edit button says:

    I’m concerned that I find out about this here an not say from an email this morning from Gawker. I am concerned that they are not actively notifying their users. I’m done with them because of this.

  33. Lukecadet says:

    Did some number crunching. Here are the top 10 domain names that had password that were cracked by the hackers. Total cracked so far were 185,271. When do we start sticking the pitchforks up the asses of those idiots running the IT department at Gawker???

    gmail.com 50527
    yahoo.com 40947
    hotmail.com 27326
    aol.com 8147
    comcast.net 2800
    msn.com 2250
    mac.com 1750
    sbcglobal.net 1667
    hotmail.co.uk 1476
    yahoo.co.uk 892

    • almightytora says:

      I also tried to log into my Yahoo e-mail account earlier tonight, only to find it locked. I had to ask for a reset code to be sent via my phone, then had to change my password.

      I expect a class action lawsuit against Gawker real soon.

  34. mkechaz says:

    I’ve done the same as most have stated. However lazyiness was discovered after I just went through a password audit. Discovered Dell Finance allows a 120 character password. Had to give that a go.

  35. Echomatrix says:

    i just got an email saying “click here to check on your gawker name/password”

    needless to say it didnt look legit

  36. almightytora says:

    Just got their e-mail:

    This weekend we discovered that Gawker Media’s servers were compromised,
    resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel,
    io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name
    and password associated with your comment account were released on the
    internet. If you’re a commenter on any of our sites, you probably have
    several questions.

    We understand how important trust is on the internet, and we’re deeply
    sorry for and embarrassed about this breach of security. Right now we
    are working around the clock to improve security moving forward. We’re
    also committed to communicating openly and frequently with you to make
    sure you understand what has happened, how it may or may not affect you,
    and what we’re doing to fix things.

    This is what you should do immediately: Try to change your password in
    the Gawker Media Commenting System. If you used your Gawker Media
    password on any other web site, you should change the password on those
    sites as well, particularly if you used the same username or email with
    that site. To be safe, however, you should change the password on those
    accounts whether or not you were using the same username.

    We’re continually updating an FAQ (http://lifehac.kr/eUBjVf) with more
    information and will continue to do so in the coming days and weeks.

    Gawker Media

  37. morningface says:

    I’ve been looking for a place to ask this question: what if I can’t click my username? It is just text, no link to a profile or anything.

  38. venomroses says:

    Does anyone know how to delete a gawker account?

    I just reset my password and notice all my previous comments are just from when the consumerist was with gawker. I never posted on anything else! How do I get rid of this account?

  39. SoFlaSnowMan says:

    One other issue which I haven’t seen publicized is that the file which was purloined contained usernames and email addresses. Thus, someone in possession of this file would be able to determine the email address of a Gawker (or Consumerist) commenter given their username.

    If any of you all of a sudden start receiving email referencing comments you may have posted, this is how your email address became publicized.

  40. FunnyAboutMoney says:

    When I click the username in the upper right corner of the page, nothing happens. It’s not live. Sooo…got any other ideas?