Gawker’s Customer Service Under Fire

For a brief period in August, every Gawker commenter was naked, their email address flapping in the wind.

A temporary error in the comments system gave admin privileges to anyone who updated their profile.

Scott Kidder of Gawker says, “We learned of the problem pretty quickly, and promptly patched the hole and removed admin access from those that shouldn’t have it.”

Though, not before Malatron sent himself 1640 comments invites…

For a while he resigned himself to merely issuing comment logins to anyone Gawker executed.

Paul broke his silence today and posted about the lapse on his blog.

Afterwards, Paul IM’d The Consumerist with the deets. We forwarded his post to Gawker managing editor, Lockhart Steele, and to tech. As the hole was plugged, neither seemed alarmed and decided to let the matter rest.

Paul and Andrew Krucoff were still bothered. Krucoff in particular was appalled Gawker never told its readers about the brief vulnerability. Both wanted Consumerist to post about it (customer service failure at the HQ of the customer service blog and all).

Applying our normal posting criteria, we didn’t. Frankly, it seemed like a storm in a thimble. Plus, we were about to take a nap.

As we slept, posted about it and readers had fun getting comment logins from Malatron and pretending to be Kruckoff in the comments.

Lock says Gawker will change its privacy policy, and has terminated all open comment invites issued prior to October 1.

Any readers disturbed by the potential privacy breach are advised to call Gawker customer service and ask for their money back.


Edit Your Comment

  1. large orange says:

    This only affected people who gave Gawker their email address — which was not required. Tinfoil-hat types like me didn’t give their email address and weren’t affected.

    The moral of this story is that you should never have to give out your email address.

  2. Dagonis says:

    I don’t know if my invite was before or after that… :-

  3. EustaceRides says:

    Define “brief period.” So you’re saying that anyone with commenting privileges could have gone in and pulled profile info on everyone including email addresses if provided? Is it possible to track who accessed the admin page during that brief period?? This Malatron person can’t be the only one who did. This is really scary stuff. I’ll think twice about ever putting my real email in a comment submit process again. Thanks for being upfront about it…3 months after the fact.

  4. Any readers disturbed by the potential privacy breach are advised to call Gawker customer service and ask for their money back.

    Best “storm in a thimble” Fuck You, ever.

  5. pay me no mind, just wanted to see if i could still comment. move it along, nothing to see here…

  6. BlahBlahBlah says:

    A EustaceRides by any other name is still Andrew Krucoff.

  7. RobotsonCasiotones says:

    Oh noze! Someone has your email address! Your personal safety might be in jeopardy now. Oh wait…no it’s not, you’re just whining like a little bitch about probably the least consequential security breach, um- ever.

  8. Fawn Liebowitz says:

    Huh? Too much verbiage–condensed version please

    I will admit I’m too dumb and uninterested to research fellow commenters–although I will pull up a particularly interesting avatar for a better view now and then…

  9. EustaceRides says:

    RC, it’s rather odd you cite a “personal safety” concern when we’re only talking about the possibility of shady marketers appropriating an exposed email list for spam purposes. But I like your hysteria, maybe you should look into commenting at SelfDefensest. I’m sure someone could die from enough spam. Let’s not joke about such important matters. God I need a cigarette.

  10. Andrew says:

    I am also testing my commenting privileges

  11. The_Truth says:

    Wait I got my login before October 1st (I think), does that mean i cant log in?

  12. AcilletaM says:

    They canceled any open invites from before Oct. 1st, not commenter accounts so if you already have a commenter account you are fine. However, if you have a username that starts with a number and gave your email, Malatron is exposing the email address you used to the world right now.

  13. malatron says:

    its been corrected acilletam

  14. OnoSideboard says:

    OK, but more importantly, can anyone tell me how to upload an avatar? Whenever I try, I get a little tiny “http status: 500” error message in the box where I put the image file. My image is well within the limits (25 kb). Any ideas?

  15. nojo says:

    It’s been a couple of months since I cadged an Invite, but I vaguely recall the signup page noting that the email address is optional — used to send your password in case you forget it. If you desired complete anonymity, you could skip the address, or set up something for the purpose at Yahoo or Gmail.

    Which is to say: the comment system is as confidential as you want it to be. As fun as it is to be outraged, I can’t bring myself to grab a pitchfork.

    On the other hand, I don’t know whether the registration or comment system logs IP addresses, which in many cases can be traced to the computer you’re typing on. (I’m a geek and I know the exceptions, but we’re talking to civilians here.) Malatron’s post mentions email only, so I don’t know whether his admin access provided more details about Gawker users.

    Me, I’m still pissed about Oxfeld getting fired, but that’s another matter.

  16. pipharper says:

    Um… I’ve had comment “privileges” (spelling? Who knows?) since, like, Madonna did the whole Roxy-Misshapes things, and um, what? My user ID thing, or whatever, says, July 2006. Aite.

    Is this working?

  17. raincoaster says:

    The real reason Gawker doesn’t want this info getting out is that it could show just how many Gawker commenters don’t actually live in the New York area. Can’t have that on the street.

  18. Ben Popken says:

    POINT OF CLARIFICATION: Comment invites are the little codes that you click on to create a comments account. Any of these issued before Oct 1 and not used were deleted. Nobody’s activated comment accounts were touched.

  19. KarenUhOh says:

    I got people in Hong Kong who don’t exist writing 50x a day to sell me phantom stocks. I got Mike Chertoff parked across from my house with a telescope in one hand and his dick in another.

    My e-mail was public access for 48 hours? Whoop-de-fucking-do.

  20. jthree says:

    If this were Wal-Mart not caring about an issue like this I bet it would be newsworthy.

  21. Alfonso X. Alfonse says:

    So, what you’re saying is thanks to this security breach, I’ll be receiving 4% more “rock hard cock” spam than before?

    P.S. Raincoaster – If I earned an invite, and some NYC folk didn’t, who’s to blame?

  22. RandomHookup says:

    Since you have subjected me to great and irreparable harm, I have decided to subject you to some of the spam that I received as a result of your negligence. Enjoy!

    Refinance Rate: 4.43%* – $350,000 loan for $579 a month – Bad credit OK visit us

    had; and as she was no horsewoman, walking was her only alternative. she declared her resolution.somebody running upstairs in a violent hurry, and calling loudly after her. she opened the door andtheir arrival; when they entered the passage she was there to welcome them

    eye remained focused on the ceiling. Damn it, he added of the stairs, gazing up at him intently, some craning their Well, youll have to learn the hard way, Im afraid,still eyeing Harry curiously. Too risky. Weve set up called Tonks, who was looking around the kitchen with great

    This is the break you’ve been waiting for! Spice up your
    holdings with A_U_N_I and WIN!

  23. EustaceRides says:

    Reader-submitted comment spam! Great idea. The consumer revolution beats on…

    Very Easy girls to get it on with at http://www.funexcitedgirls. com oopss delete space before com

  24. aka Cat says:

    Well, this explains that sudden upswing in spam in October.

  25. Pandora Spocks says:

    Karen: exactly how small is Chertoff’s dick?

  26. Ben Popken says:

    Closing runaway italics.

  27. RockandRoar says:


  28. gertrudeyorkes says:

    Also testing. I’m a loser. carry on.

  29. chunkstyle says:

    Yeah, I don’t really see the big deal here. Also, I am testing…pay no mind.

  30. Narnia says:

    Thanks Gawker…
    Company name: Texhoma Energy, Inc.
    Stock symbol: TXHE.PK
    Current price: 0.12 (up 50% this week)
    Expected price 10/20/2006: 0.52

    HOUSTON, TEXAS–(MARKET WIRE)–October 20, 2006 — Texhoma Energy,
    Inc. [TXHE] is pleased to announce Successful drilling results on
    the Clovely site. As mentioned in earlier updates we encountered
    two expansive gas pockets with a flow rate estimated at 900 MCF
    of gas per day. Today we are happy to report the discovery of an
    oil reservoir which has far exceeded our initial expectations.
    Recoverable reserves are estimated at 2mil barrels and plans are
    in place to start additional drilling in order to take advantage
    of this very fortunate situation. As always, we will keep our
    shareholders abreast of the latest happenings.

  31. flyover says:

    Please stop testing – it was INVITES that were cancelled, not Commenters who already have used their accounts!
    Is there a such thing as comment spam??

  32. Ben Popken says:

    Closing italics.

  33. My email address was flapping in the wind? I never knew that I could have internet flatulence.

  34. Ben Popken says:

    Closing bolds… do we really need to be so emphatic, people?

  35. Jupiter Jones says:

    mmm… bold

  36. Jupiter Jones says:

    ps: I did not restart the bold, it looks like it wasn’t closed.

  37. Narnia says:

    sorry. i just did it because you’re the only editor that crawls out from behind your monitor to close the tags. if only there was a point to baiting this trap.

  38. Narnia says:

    not bold its “big.”


  39. Ben Popken says:

    Well, I think this thread has exhausted itself. Closing comments.