The FBI has reportedly opened an investigation into the hack that compromised Gawker Media’s websites
A group known as ‘Gnosis’ has taken credit for the attack, and put the data it swiped into a file that was initially available via The Pirate Bay.
Rumours of the hack began to circulate 11 December, and Gawker confirmed them with a warning a day later. According to the company, the breach impacted users of several sites, including users of Gizmodo, Gawker and Deadspin. In addition, the attackers made off with usernames and passwords for Gawker’s staff, as well as Gawker’s source code and chat logs of discussions between employees.
The password information was encrypted, but was still vulnerable to being cracked – a fact underscored by the subsequent compromise of Twitter accounts belonging to some users. Many of those passwords were simplistic – an analysis by Duo Security found the most common passwords were “123456” and “password.”
There are so many websites that ask users to create a password that it is impossible to keep track of them all, said Richard Stiennon, chief research analyst at IT-Harvest. People treat many of these sites as inconsequential, and therefore don’t bother to create strong passwords they will immediately forget, he added, something that is fine for a media site like Gawker, but more problematic for things like email or Facebook accounts.
“(The) number one best practice is never use a word that can be found in the dictionary,” he said. “A simple way to create a hard to guess password is to use the first letter of each word in a phrase. ‘When IT Rains it Pours’ becomes WIRIP. Add a number to make it eight characters long – WIRIP421. Change the “I” to “!” and you have a pretty strong password you can remember: W!R!P421. Do that for sites you pay for and ones that are important to you.”
In a ‘Frequently Asked Questions’ posted in response to the incident, Gawker advised users to reset their passwords. In addition, the company said it is bringing in an independent security firm to improve its infrastructure security.