December 16, 2010

Gawker's Password Compromise Has Significant Aftershocks

Gawker Media's security breach, exposing user e-mails and passwords for the network's many sites, is a mess. Not only were users' accounts uncovered, but the full database was later posted to the Web for anyone to dive through, for better or for worse, gaining the ability to find out affected users who had been exposed. Assuming that users often adopt the same password across multiple Web services, it is a safe guess many folks are on the list whose accounts elsewhere are now at risk.

It just so happens my e-mail address was included in this breach.

Using a public hashtable lookup and decoder, I found that my e-mail address, and its corresponding Gawker password, was exposed in the attack. Not a good thing. But the good news is that after the late summer's issues of dealing with a fraudster, and changing all my passwords in many places, I'd already protected myself against this particular password escaping.

LinkedIn Forced a Password Reboot

But my work seems to have been in vain in some respects. First, my LinkedIn account was disabled. It turns out in a proactive move, the company forced all users who had accounts that matched the unveiled e-mail addresses to redo their passwords. In parallel, my e-mail, used on Gawker, was disabled by Apple. This story hasn't been revealed in the press, so far as I have seen, and it's quite possible Apple similarly proactively disabled accounts named in Gawker's documents.

Apple Reset My Password As Well, Even Though it Was New

So, once again, I found myself changing my password on my main account with Apple, after proving through a set of online hoops that I was actually me. And again, for the second time in a few months, I am reconsidering my password strategy, and wondering if the time has really come to use services like OpenID and OAuth to avoid the obvious problem of creating unique IDs for every site.

I have no clue how many times I've left comments on Gawker sites. I'd bet it's less than five times. And in exchange for this small number of posts, my LinkedIn account and my MobileMe account are sporting new passwords, while I think in my head of other places the old password may still be alive, susceptible to open hackers who want to take over my digital IDs.

From the tech coverage of the breach I have seen, it looks like Gawker got sloppy and they paid for it. More specifically, all of us impacted have paid for it with greater levels of annoyance and needing to reconsider how we approach our online permissions. I've given my user name and password pairs out to so many sites by this point, it's practically guaranteed the bad data is out there somewhere, on servers owned by companies much less aware and proactive than LinkedIn and Apple.

Gawker screwed up and it's a very major, visible mistake which can't happen too often before site users start to turn a blind eye to registrations, and move on to alternatives. If I can't sign in with my Google or Twitter ID at this point, I don't think I want to add yet another ID that may just fall victim to smarter hackers in the future.