Gawker Media has admitted passwords were stolen in a hack on its user databases.
Whilst the stored passwords were encrypted, Gawker said, simple ones may still be vulnerable to a brute force attack, where constant attempts to crack the key are made until the hackers are successful.
Users have been advised to change their passwords for Gawker websites and for any other site on which they use that same password.
“We're deeply embarrassed by this breach,” a note on the Gawker website read.
“We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. And, yes, the irony is not lost on us.”
Other Gawker sites include Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot.
“We understand how important trust is on the internet, and we're deeply sorry for and embarrassed about this breach of security - and of trust,” a separate note on Lifehacker read.
“We're working around the clock to ensure our security (and our commenters' account security) moving forward.”
A group going by the name of Gnosis has claimed credit for hacking Gawker’s servers, reportedly posting a file on the Pirate Bay.
The file contained numerous passwords, including those of Gawker founder Nick Denton.
As yet, there has been no definite link between Gnosis and the Anonymous hacker group who have been going after anti-WikiLeaks services.
A related Twitter hack?
Following the Gawker compromise, hundreds of thousands of Twitter accounts were hacked as well.
Del Harvey, Twitter's director of trust and safety, said she suspected these new hacks used the same passwords as those taken from Gawker.
The hacked Twitter accounts have been used by spammers to send messages attempting to direct users to a supposed acai berry diet website.
“Got a Gawker acct that shares a PW w/your Twitter acct? Change your Twitter PW. A current attack appears to be due to the Gawker compromise,” Harvey wrote on her own Twitter page.
“In other words: the acai berry attack looks to be connected w/the Gawker hack rather than a worm.”
Ethical hacker Jason Hart, senior vice president at CRYPTOcard, told IT PRO hacks like the one against Gawker are becoming easier to carry out.
“With the ease of hacking and cracking passwords, there need to be additional layers of security,” Hart said.
“Encrypting passwords does not prevent brute force attacks.”
Sophos has told web users to mix up their passwords for added security.
According to a Sophos poll carried out last year, a third of respondents said they used the same passwords for all of their online accounts.
Just a fifth used different passwords for all their various accounts.
This article originally appeared at itpro.co.uk
Copyright © ITPro, Dennis Publishing
Issue: 315 | May 2013
Access CRN's extensive online resources including; email bulletins, community discussions and unique online news.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can log on to the CRN website or start posting comments on articles.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain '@crn.com.au' to your white-listed senders.
