Joe Maller.com

Running around changing logins

If you’ve ever created an account at any Gawker Media site, it’s highly likely your password has been exposed. These sites include Gawker, Deadspin, Kotaku, Jezebel, Fleshbot, io9, Jalopnik, Gizmodo, Valleywag and Lifehacker. Most likely this also includes defunct sites Defamer and Sploid as well as formerly owned by Gawker sites Consumerist, Gridskipper, Oddjack, Screenhead and Wonkette (links intentionally omitted). These accounts go back nearly 10 years.

There’s more at Mediaite, BusinessInsider and HuffPo.

Inside the Gawker source/database torrent is a decrypted list of nearly 200,000 account details including plaintext passwords. Mine was in there, and the login was apparently used to post a spam event to my dormant Facebook account. Facebook deserves praise for proactively disabling my account.

I had better plans for my morning.

After reviewing the torrent files, my theory is that passwords before a certain point in time were hashed without salt. These are stored as encrypted strings in the database, but are easily revealed using a basic rainbow table. A lack of salting would also have made it easy to reveal the several thousand accounts using ‘password’ and ‘qwery’ as passwords.


Leave a Reply