This Gawker Thing



  • In case you haven't already received 40 bajillion emails from this, Gawker blog network (motto: single-handedly convincing society that blogs are lousy journalism) had their login database stolen, including emails and passwords. My email address is on the list, even though I've never created a log-in at any Gawker site because I'm not a drooling moron. So I got the email from Gawker saying that my email was leaked, but no passwords were. Fine.

    Then, minutes later, I get an email from DeviantArt saying my email was leaked and I should reset my password. What? Why? Well, they saw I was on the Gawker list, apparently, and decided that even though *only* my email address was leaked (an address already on about a thousand spam lists, mind you), my password must have been leaked too. Fortunately, DeviantArt lets me ignore the email.

    Then, this morning, I get a new email from Blizzard: "someone has requested a password reset on your account, click here to confirm." Someone's trying to break into my WOW account and doing a really sloppy job! (For those who don't play WOW: hackers go after WOW accounts all the time.) Next email? "Notice from Blizzard: we heard about the Gawker thing, and so we triggered a password reset on every Blizzard account." WTF, Blizzard! My password was never leaked, and even if it was, I use a different password for WOW than for everything else. PLUS, you've just emailed all your users something that looks *exactly* like a phishing message. (In fact, I'm still not 100% sure it wasn't a complex phishing attempt.)

    Next up! An email from LinkedIn: "your account has been disabled due to security reasons." My password was never fucking leaked! And LinkedIn had no trouble "resetting" it to the exact same password.

    All I can assume these site owners are doing are looking at the complete list of Gawker emails, matching it with their own database, and either:
    1) Sending out "you should reset your password" emails
    2) Clicking the "forgot password" button *for* you
    3) Disabling your account completely

    Not necessarily WTFy (well, option 2 is), but they didn't bother checking the Gawker list to see if a password hash was leaked or not.

    So fucking Gawker network, instead of passively causing headaches via their shitty blogs, is now actively causing me headaches because their computer security guys are apparently retards. Fuck Gawker.



  • Considering the large number of drooling morons that use the same password on every web site, it's probably not a bad idea to take this precaution if their password from one site gets leaked.



  • I wonder how many of those passwords you could still guess just by incrementing the leaked one.



  •  I don't even know what Gawker is.

    But yeah, panic mode is always annoying.



  • And they apparently encrypted the damn password, rather than salting and hashing them, the morons.There's the WTF.



  • @db2 said:

    Considering the large number of drooling morons that use the same password on every web site, it's probably not a bad idea to take this precaution if their password from one site gets leaked.

    The thing is, my password wasn't leaked, only my email was. And 50,000 spammers already have that.



  • @blakeyrat said:

    @db2 said:
    Considering the large number of drooling morons that use the same password on every web site, it's probably not a bad idea to take this precaution if their password from one site gets leaked.
    The thing is, my password wasn't leaked, only my email was. And 50,000 spammers already have that.

    Only 50,000?  You haven't been hitting the *good* sites.  Not with your real email at least.

    Try building a profile of yourself based on the targetted spam you recieve.  I'm a geriatric single-mom with erectile dysfunction.



  • @blakeyrat said:

    @db2 said:
    Considering the large number of drooling morons that use the same password on every web site, it's probably not a bad idea to take this precaution if their password from one site gets leaked.
    The thing is, my password wasn't leaked, only my email was. And 50,000 spammers already have that.

    blakeyrat (tad paranoic are we?), cool off man, yes the response is retarded, yes your password was not leaked off, but you see people are retarded, how much do you want to bet that people use stupid passwords that can be guessed from their email address and whatnot.  The people that sent emails to you can't know that you are a superior being that use super secure passwords.

    Proper response could have being sending you an email

    "Dear ________:

    In light of the Gawker affair we need to know,are you retarded?

    If so please click or copy this link ________________ to reset our password with our website.

    If not please ignore this email

    Kind Regards



  • @Tessellated Cheese said:

    And they apparently encrypted the damn password, rather than salting and hashing them, the morons.There's the WTF.

    I heard they were hashed but not salted.

    Man, security sounds delicious... I'm going to have potatos for lunch.



  • @serguey123 said:

    Blakeyrat, cool off man,

    Sorry for being "uncool", but I use a handle on this site for a reason. Don't be an asshole.

    I'd appreciate it if a mod could remove my name there.



  • @blakeyrat said:

    @serguey123 said:
    Blakeyrat, cool off man,
    Sorry for being "uncool", but I use a handle on this site for a reason. Don't be an asshole.

    I'd appreciate it if a mod could remove my name there.

    Remove it myself, sorry about that, but if you want to remain anonymous, you should really check what you put on those webforms, it takes like 1 minute of googling, I thought you were aware that pretty much everybody can know who you are if they care, FYI, my handle is my name except for the numbers so...



  • @blakeyrat said:

    Then, this morning, I get a new email from Blizzard: "someone has requested a password reset on your account, click here to confirm." Someone's trying to break into my WOW account and doing a really sloppy job! (For those who don't play WOW: hackers go after WOW accounts all the time.) Next email? "Notice from Blizzard: we heard about the Gawker thing, and so we triggered a password reset on every Blizzard account." WTF, Blizzard! My password was never leaked, and even if it was, I use a different password for WOW than for everything else. PLUS, you've just emailed all your users something that looks exactly like a phishing message. (In fact, I'm still not 100% sure it wasn't a complex phishing attempt.)

    Pretty sure it was. WoW phishing scams are getting more and more common. But normally pretty easy to spot. They normally consist of a message convincing you to "click here", which directs you to a site which only looks like the bnet login screen. In the years I've played WoW I've never had any e-mails directly from them about my account. On the few occasions one has looked relatively genuine, I've contacted them and said "is this e-mail actually from you?" and they've said no.

    While some companies are likely to panic for no real reason, the fact that your e-mail (and that only) was leaked makes you a prime target for phishing scams like this IMO. I'm not registered with Gawker, and haven't received the e-mails you (apparently) did from Blizzard or LinkedIn.



  • @the_nell_87 said:

    @blakeyrat said:
    Then, this morning, I get a new email from Blizzard: "someone has requested a password reset on your account, click here to confirm." Someone's trying to break into my WOW account and doing a really sloppy job! (For those who don't play WOW: hackers go after WOW accounts all the time.) Next email? "Notice from Blizzard: we heard about the Gawker thing, and so we triggered a password reset on every Blizzard account." WTF, Blizzard! My password was never leaked, and even if it was, I use a different password for WOW than for everything else. PLUS, you've just emailed all your users something that looks *exactly* like a phishing message. (In fact, I'm still not 100% sure it wasn't a complex phishing attempt.)

    Pretty sure it was. WoW phishing scams are getting more and more common. But normally pretty easy to spot. They normally consist of a message convincing you to "click here", which directs you to a site which only looks like the bnet login screen. In the years I've played WoW I've never had any e-mails directly from them about my account. On the few occasions one has looked relatively genuine, I've contacted them and said "is this e-mail actually from you?" and they've said no.

    While some companies are likely to panic for no real reason, the fact that your e-mail (and that only) was leaked makes you a prime target for phishing scams like this IMO. I'm not registered with Gawker, and haven't received the e-mails you (apparently) did from Blizzard or LinkedIn.

    I do get those e-mails from Blizzard that my account is frozen because of a hack attempt. This usually happens when I travel abroad and access the game from my laptop in a hotel room. Seems they do some checks on the geo-location of your IP address and logging in from different continents triggers alarms.

    As to my e-mail security: I use not only different passwords, but also different e-mail addresses. Accounts like WoW, Paypal, iTunes have unique e-mail addresses connected to them.



  • @serguey123 said:

    ... leaked off..

    ewww



  • @Tessellated Cheese said:

    And they apparently encrypted the damn password, rather than salting and hashing them, the morons.There's the WTF.

    Even lamer: they used frickin' DES to encrypt the stupid passwords. You know, that insecure "NSA-approved" algorith that uses a 56-bit key that can be cracked with minimal effort.

    Which is what the hackers proceeded to do right away!



  • @dhromed said:

    I don't even know what Gawker is.

    If I didn't already know, I'd assume it's a community of GNU AWK users.



  • @RogerWilco said:

    I do get those e-mails from Blizzard that my account is frozen because of a hack attempt. This usually happens when I travel abroad and access the game from my laptop in a hotel room. Seems they do some checks on the geo-location of your IP address and logging in from different continents triggers alarms.

    As to my e-mail security: I use not only different passwords, but also different e-mail addresses. Accounts like WoW, Paypal, iTunes have unique e-mail addresses connected to them.

    I got an email from Blizzard when my account was banned due to posting a disguised link to a scheisse site on the official forums.  I make no appologies.



  • @danixdefcon5 said:

    @Tessellated Cheese said:

    And they apparently encrypted the damn password, rather than salting and hashing them, the morons.There's the WTF.

    Even lamer: they used frickin' DES to encrypt the stupid passwords. You know, that insecure "NSA-approved" algorith that uses a 56-bit key that can be cracked with minimal effort.

    Which is what the hackers proceeded to do right away!

     

    yeah i noticed that too, i've also peaked at their code. It's awfull, in an index, index_new, index_old, index2 kind of way.



  • @serguey123 said:

    Remove it myself, sorry about that,

    Thanks.

    Yes, I know that anybody (given my handle) can find out my real name in seconds, that's not really the point. What I'm trying to do is keep forums like this off the result list if people search for my real name. I'm probably failing hard at this, but... well I'm trying.

    The real point is, I've only ever used the name "blakeyrat" here, so it's a simple politeness thing. You don't start using someone's real name on a site unless you have permission, or unless they've started using it first.

    Thanks for editing your post.



  •  Btw in response to your original message about Blizzard, I get about 10 notifications a week that my account information is incorrect, or updated, or has leaked, that someone's trying to hack my account, or whatever. If I could just please click "here" to log in and check my account information. With "here" linking to a site like http://www.battle.net.wow-en-support.com/. Right.



  • I got the Gawker email too. That's nice and all, but I don't even remember making an account, and if i do have one, I certainly don't remember which site it was on. Hard to change it without that information...



  • @lolwtf said:

    I got the Gawker email too. That's nice and all, but I don't even remember making an account, and if i do have one, I certainly don't remember which site it was on. Hard to change it without that information...

    They sent emails to users even if you had an email address and no password. If you want to try your commonly-used passwords, you can go to any Gawker site and attempt to log in-- they all share the same log in servers. (Which is why this breach was so bad, I guess. They get fashion fans, car fans, gaming fans that are dumb enough to think Kotaku has anything to do with gaming, gadget fans, etc all in one go.)



  • @danixdefcon5 said:

    I'm going to sing the Doom song!

    My favorite GIR scene is when the delivery guy hands him the pizza, and he bursts into tears and says "I love you!" (Second place would be when his brain was in the house computer, and he had a taco in a robot hand jamming it into a wall and going, "I can't find my mouth!!!")



  • @HighlyPaidContractor said:

    Try building a profile of yourself based on the targetted spam you recieve.  I'm a geriatric single-mom with erectile dysfunction.

     

    I'm apparently a Russian looking for a work-from-home data entry gig.



  • @blakeyrat said:

    @serguey123 said:
    Remove it myself, sorry about that,
    Thanks.

    Yes, I know that anybody (given my handle) can find out my real name in seconds, that's not really the point. What I'm trying to do is keep forums like this off the result list if people search for my real name. I'm probably failing hard at this, but... well I'm trying.

    The real point is, I've only ever used the name "blakeyrat" here, so it's a simple politeness thing. You don't start using someone's real name on a site unless you have permission, or unless they've started using it first.

    Thanks for editing your post.

    I apologize again, I said it earlier on other posts but I'm not good with social conventions and whatnot.  I get your point but it does not help that your blog is the first hit with your full name (so yes you are failing "hard") also there are some hilarious hits, you should worry more about them than this website.  Your mail account, interest and wow character name are also easy to pick along with a bit of other random info.

    In perspective they should not have sent you an email as what was leaked was public knowlodge

    Regards



  • Maybe this explains why Facebook make me set up a ton of security questions and stuff today. Which is annoying because I've never heard of Gawker until reading this thread so there's no way I should be affected.





  • @serguey123 said:

    I get your point but it does not help that your blog is the first hit with your full name (so yes you are failing "hard")

    Yes, but people who find my blog aren't going to type my handle into Google for another set of results. Unless they're really in it to smear me, but, hell, that's easy for anybody really dedicated to it. So I'm not failing as hard as you think.

    @serguey123 said:

    also there are some hilarious hits, you should worry more about them than this website.

    I already do, but there's no way to get rid of them. (If you know a way, please let me know!) Having Internet access when you're young and stupid is a dangerous thing, and I completely agree with people who think the Internet needs to have a "memory" and "forget" old things... people's opinions change, but that fucking retarded blog comment I left in 1998 never will.



  • @serguey123 said:

    Further proof that people are retarded http://blogs.wsj.com/digits/2010/12/13/the-top-50-gawker-media-passwords/

    To be fair, I would wager people set "123456" as a password because:

    1) It's just a blog, so who gives a shit if someone steals the account?

    2) That way they're specifically *not* setting it to the same password as their bank account (or whatever)

    I don't see "123456" and "password" as the top two entries being a WTF.



  • @blakeyrat said:

    1) It's just a blog, so who gives a shit if someone steals the account?

    2) That way they're specifically *not* setting it to the same password as their bank account (or whatever)

    I don't see "123456" and "password" as the top two entries being a WTF.

    1- Apparently some people do care.

    2- One would think that and be wrong sometimes

    If it is unimportant then don't set a password.  Making half assed security measures is worse than none because creates a false sense of security.

    I'll go with small to medium importance in this place as PI and marketable information is getting valuable.

    As for the other post, well it is hard and mildly illegal so no, btw did you miss the "" on hard?



  • @blakeyrat said:

    @serguey123 said:

    Further proof that people are retarded http://blogs.wsj.com/digits/2010/12/13/the-top-50-gawker-media-passwords/

    To be fair, I would wager people set "123456" as a password because:

    1) It's just a blog, so who gives a shit if someone steals the account?

    2) That way they're specifically *not* setting it to the same password as their bank account (or whatever)

    I don't see "123456" and "password" as the top two entries being a WTF.

    The application I'm currently working on has its passwords stored in plaintext in the database (not my doing).  On glancing through them, maybe .01% are strong passwords, the rest are NULL (the system allows it), the default 'ChangeMe1', 'password', kids names, or favorite hobbies.  The system controls all policy information and accounts recievable for a major insurance firm.  It's also vulnerable to SQL injection for the next 2 versions, so easy to guess passwords aren't really an issue.  (I'm not allowed to correct it until my contracted modules are in production)



  • @serguey123 said:

    If it is unimportant then don't set a password.  Making half assed security measures is worse than none because creates a false sense of security.

    I agree but that's Gawker's fault. If you want to leave a post on Kotaku saying "hehehe VIDEO GAME GIRL BOOBS!!!!" or whatever shit the Neanderthals there post, you need to create an account-- including a password.

    I mean, here's the deal: Kotaku requires you create an account so they can fight spam. Moron Kotaku reader creates one *simply* to post to a retarded blog, they don't care if the password gets compromised because they didn't want to set one in the first place. Thus, "123456".

    You don't have the option to post an unimportant comment without setting a password on those sites.

    @serguey123 said:

    As for the other post, well it is hard and mildly illegal so no, btw did you miss the "" on hard?

    No, I got it. I guess I was just hoping you have some secret sauce. Google is my nemesis.



  • @serguey123 said:

    @blakeyrat said:

    @serguey123 said:
    Remove it myself, sorry about that,
    Thanks.

    Yes, I know that anybody (given my handle) can find out my real name in seconds, that's not really the point. What I'm trying to do is keep forums like this off the result list if people search for my real name. I'm probably failing hard at this, but... well I'm trying.

    The real point is, I've only ever used the name "blakeyrat" here, so it's a simple politeness thing. You don't start using someone's real name on a site unless you have permission, or unless they've started using it first.

    Thanks for editing your post.

    I apologize again, I said it earlier on other posts but I'm not good with social conventions and whatnot.  I get your point but it does not help that your blog is the first hit with your full name (so yes you are failing "hard") also there are some hilarious hits, you should worry more about them than this website.  Your mail account, interest and wow character name are also easy to pick along with a bit of other random info.

    In perspective they should not have sent you an email as what was leaked was public knowlodge

    Regards

    Good to see you two playing nice again.  Its generally bad form to  post something like that without asking first.  Most of us mods will sanitize it as soon as we see it or are alerted.  However since I've recently been locking things down a bit, feel free to google me and let me know what you find.  Who knows you might even find something I was unaware of and should lock down.



  • @blakeyrat said:

    people's opinions change, but that fucking retarded blog comment I left in 1998 never will.

    You sir, have made my day.

    Thank you

    The let Google forget stuff has been proposed but so far no dice.

    To be fair if a person hold againts you a comment made so long ago, that person is being a dick, however some jobs do an extensive background search, (mine did) and they sometimes can be unfair so if someone does that to you or anybody else you can tell them from me to stick it where it belong.



  • @serguey123 said:

    To be fair if a person hold againts you a comment made so long ago, that person is being a dick, however some jobs do an extensive background search, (mine did) and they sometimes can be unfair so if someone does that to you or anybody else you can tell them from me to stick it where it belong.

    Sometimes they're on undated pages. Which makes it even worse. (Of course, Google and Archive.org have an idea of when the page changed, so they could still implement the forgetting. Google just doesn't bother.)



  • Google seems to have forgotten some of my less flattering prose.  I don't see "(my name) masterbating with drunken midgets" anywhere.  It was a bit of a concern a few years back when I was looking for gainful employ.

    My college senior design project is still there for all to see, however.



  • @HighlyPaidContractor said:

    Google seems to have forgotten some of my less flattering prose.  I don't see "(my name) masterbating with drunken midgets" anywhere.  It was a bit of a concern a few years back when I was looking for gainful employ.

    My college senior design project is still there for all to see, however.

    If you PM me with the details I can help you stay relevant as is mildly simple to make google rank something higher, is probably there, you just need to get it out, something a bot will be more efficient at.



  • @serguey123 said:

    @HighlyPaidContractor said:

    Google seems to have forgotten some of my less flattering prose.  I don't see "(my name) masterbating with drunken midgets" anywhere.  It was a bit of a concern a few years back when I was looking for gainful employ.

    My college senior design project is still there for all to see, however.

    If you PM me with the details I can help you stay relevant as is mildly simple to make google rank something higher, is probably there, you just need to get it out, something a bot will be more efficient at.

    Thank you.  I'm not sure how serious you're being, but I am very happy with how irrelevant my masturbatory habits currently are to those googling me for employment reasons.  If my desired mode of employ drastically changes at any point in the future to something more relevant to auto-eroticism and little-people, I will be sure to contact you.



  • @HighlyPaidContractor said:

    If my desired mode of employ drastically changes at any point in the future to something more relevant to auto-eroticism and little-people, I will be sure to contact you.

    I know it's a bit of a faux-pas to quote/respond to myself, but I think I'm going to start sending this as a standard response to all of the recruiter farms that purposefully misinterpret my resume and call me all day long. 

    I still don't see how "software developer in New England" can be construed to mean I want to sell insurance in Phoenix.



  • @HighlyPaidContractor said:

    @HighlyPaidContractor said:

    If my desired mode of employ drastically changes at any point in the future to something more relevant to auto-eroticism and little-people, I will be sure to contact you.

    I know it's a bit of a faux-pas to quote/respond to myself, but I think I'm going to start sending this as a standard response to all of the recruiter farms that purposefully misinterpret my resume and call me all day long. 

    I still don't see how "software developer in New England" can be construed to mean I want to sell insurance in Phoenix.

    Ha, they ammount to the same thing, don't you know that?

    About the other thing, I was joking of course, you are clearly smart enough to actually know how to make this happen, and when your sex life is a concern for a future employer either you are into some weird shit or your employer is.



  • I received the email, too. However, slate.com has a widget that allows you to enter your email address and see if it was in the released set. Not that you shouldn't change your password anyway, but at least if it's not in the released set, fewer people have it.



  • @serguey123 said:

    About the other thing, I was joking of course,

    I assumed as much, but my wording was somewhat vague, the internet does not convey tone well, and I have the can't-tell-when-people-are-joking gene.  Also, I got to write some great sentences.

    @serguey123 said:

    you are clearly smart enough to actually know how to make this happen,

    Obviously you're still joking.

    @serguey123 said:

    and when your sex life is a concern for a future employer either you are into some weird shit or your employer is.

    Weird is subjective.  Of course, just today I've posted today about self-pleasure, morphophilia, and coprophilia, so all bets are off.  I still would rather my sex life and my future employer never cross paths; until such time as my desired mode of employ drastically changes.



  • @HighlyPaidContractor said:

     

    Weird is subjective.  Of course, just today I've posted today about self-pleasure, morphophilia, and coprophilia, so all bets are off.  I still would rather my sex life and my future employer never cross paths; until such time as my desired mode of employ drastically changes.

    Pfft, that is perfectly normal, if that is what rock your world, rock on my friend, rock on, I meant weird in the illegal as shit sense.  What you do in your private life should be nobody's problem but sadly the world is changing, have you heard of the TAD rules?



  • @serguey123 said:

    have you heard of the TAD rules?

    Pulls up something about John Ritter.



  • @Tessellated Cheese said:

    And they apparently encrypted the damn password, rather than salting and hashing them, the morons.There's the WTF.

    If you think that's bad...
    I asked our corporate travel website to retrieve my password.  They emailed it to me - in the clear!



  • @dcardani said:

    I received the email, too. However, slate.com has a widget that allows you to enter your email address and see if it was in the released set. Not that you shouldn't change your password anyway, but at least if it's not in the released set, fewer people have it.

    Slate's widget also makes the same error as those other guys. Having your email in the data isn't the same thing as your password being compromised... at least Slate says as much in the tool, although from the comment below this was a late addition.



  • I've had a number of similar emails, and I've never played WOW. Sounds like a phishing scam to me.



  • I have gotten those wow phishing e-mails on e-mail accounts that are not associated with my wow account, suprisingly i haven't seen any on my email that is associated with the account. They look suprisingly legit, unless you compare it to an actual blizzard e-mail.

    They are usually some variation on "click here to change your password or lose your account after X days." Most offical blizzard e-mails don't look like phising scams unless you count the fact that the phishers try to make them look legit, and usually put some sort of 'scam warning' linking to a url with blizzard and support in it. Often it links to the offical site, but sometimes to somewhere malicous. IIRC offical blizard e-mails just have a simple scam disclamer, and no link. 


  • Garbage Person

    @blakeyrat said:

    If you want to try your commonly-used passwords, you can go to any Gawker site and attempt to log in-- they all share the same log in servers. (Which is why this breach was so bad, I guess. They get fashion fans, car fans, gaming fans that are dumb enough to think Kotaku has anything to do with gaming, gadget fans, etc all in one go.)
    I am skeptical of this - my Jalopnik account has NEVER worked on the other sites

    Fortunately,  the password I used over there is old as shit and therefore totally useless unless someone wants to pose as me on an online dating website (they can go right ahead, they might have better luck) or login to some physical-only consoles at places I don't work at anymore. When I first signed up, I made that decision consciously - "This place looks shifty as hell - they're going to lose my password one day." Oddly enough, I haven't received ANY email from them about this incident.That might possibly be because the account is tied to an email address that no longer accepts mail.

     

    Oh, and they can also log into my disabled Facebook account. .... I should fix that. Can't have anybody reactivating my account.



  •  I know this is completely off-topic but the talk about encryption and such kind of made me wonder... whatever happened to morbs? I haven't seen him around here for quite a while... If I look at his profile, it says his last post was in July? I'm worried.


Log in to reply