Normally in the business of making others embarrassed, Nick Denton’s Gawker Media empire had some awkward explaining to do itself on Monday after hackers breached the database containing hundreds of thousands of usernames and passwords that people used to comment on the sites in the network.
Gawker executives, who had initially denied the breach, were forced to reverse course and apologise after the hackers posted a large batch of the passwords online. The intruders also took Gawker’s own source code and perused internal chats and employee e-mails, which in turn provided log-in credentials for Google Apps, taking a similar trajectory to the 2009 electronic break-in at Twitter that unearthed sensitive financial information.
In an exchange with an interviewer, the hackers said they were motivated in part by Mr Denton’s dismissive comments against the online bulletin board 4chan, which has a user base that overlaps with Anonymous and is likewise heavily populated by teenagers.
The most immediate cost to Gawker is in its relationship with its readers. The company urged them to change the passwords they use to comment at blogs including Gawker, Lifehacker and Gizmodo.
But many people use the same password at many services, and spammers grabbed the posted information and immediately tried the name and password combinations at Twitter. They used the compromised accounts to advertise herbal drinks.
It would be much worse for those who relied on the same combination for e-mail, which could provide tools for entry into the networks at their own employers. The moral for all web users: employ a different password everywhere, or use a “throwaway” version that wouldn’t be worth anything to anyone who finds it.
For companies, the lessons are more serious. Analysis of the posted material shows that Gawker was running an old and unpatched version of Linux with DES “encryption” for the user data that had been cracked more than a decade ago.
Finally, Mr Denton noticed that someone had logged in as him to an internal chat system when he wasn’t on it, and asked for an investigation–which turned up nothing–more than a month before the hackers went public.
It might cost more than it used to to have good security practices and personnel. But it still costs a heck of a lot less than this kind of debacle.