DeviantArt (Silverpop) and Gawker Media (Lifehacker/Gizmodo/etc.) compromised

[tomos]

Got two email related to this this morning - I thought they were dubious but it seems to be true:

DeviantART Members Emails Leaked By Marketing Partner Silverpop Systems (Cyberinsecure.com)

Gawker Media Suffers Massive Data Breach Courtesy of Gnosis (DailyTech.com)

[tomos]

from email

Lifehacker, Gizmodo, Gawker, Jezebel,
io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name
and password associated with your comment account were released on the
internet. If you're a commenter on any of our sites, you probably have
several questions.

We understand how important trust is on the internet, and we're deeply
sorry for and embarrassed about this breach of security. Right now we
are working around the clock to improve security moving forward. We're
also committed to communicating openly and frequently with you to make
sure you understand what has happened, how it may or may not affect you,
and what we're doing to fix things.

This is what you should do immediately: Try to change your password in
the Gawker Media Commenting System. If you used your Gawker Media
password on any other web site, you should change the password on those
sites as well, particularly if you used the same username or email with
that site. To be safe, however, you should change the password on those
accounts whether or not you were using the same username.

they then give a lifehac.kr address (which made me dubious of it's authenticity - maybe this is the start of the dodgy emails??)

[tomos]

is no-one worried about this

I cant login to Lifehacker in spite of being able to request (& having gotten) a new password.
Also I foolishly used the same/similar password & username in multiple accounts so I'm working my way through them

[Deozaan]

Yes, it's true.

I had an old gmail account with the same details as an old Gawker account and woke up today to find lots of people telling me I was sending spam.

Sure got me to finally pay attention to How I'd Hack Your Weak Passwords. (I just noticed that article was from LifeHacker, oh the irony!)

I'm currently investigating http://www.Lastpass.com/ and http://www.PassPack.com/ as a result.

My friend really loves PassPack, but I think I prefer LastPass, since it has browser extensions and seems like "less work" once you figure out how to use it. Now my passwords are 20+ characters long and different for every site.

[40hz]

I've been using the PasswordHasher extension under Firefox for day to day use for low to moderately secure logins.

Anybody know anything better that works in a similar fashion and also doesn't effectively require an online account?

For very secure passwords (like on client servers) I'll head over to random.org and generate a set of very long, very random strings - and pray to all that is holy I never lose the (also encrypted) list. 

[Eóin]

I use Keepass myself. Thanks to the Android and WinMo clients, I always have my passwords at hand.

[y0himba]

I recieved three emails.  One from Gawker/Lifehacker itself.  One from someone called "Hint", and this morning an email with bad grammar and poor spelling that imitated the email from Gawker/Lifehacker.  Luckily I never use the same password twice, and the email I usually register uses a different password.

I wonder, I am interested in downloading the torrent to see what they have on me in there, but don't want folks to think badly of me or think I am a malicious hacker.  What are the moralities in this instance? Opinions?

Also, you can go here: http://www.slate.com/id/2277768/ enter your username or email address and see if yours was among the information compromised.

[Ampa]

Had heard about the Gawker hack on the web so have been monitoring the progress of the password crack.

I actually downloaded the Torrent released by Gnosis to see whether my account was in the decrypted information (it wasn't) but the brute forcing continues and it is said that over 200k accounts have now been cracked.

DuoSecurity have provided this widget which claims that my information has been compromised.

I do not use the same password on every site, so am not overly concerned, but am amazed that it took Gawker 3 days to email me about the issue!

[40hz]

Let's see...some pissy prima donnas took a snit about something Gawker said about them and their cohorts...and decided to punish Gawker by compromising the account information of +200K innocent users...in order to teach Gawker some "respect" for Gnossis and 4Chan?

Maybe I'm missing something, but just who is being the "arrogant" jerk here?

(God, do some people ever need to get a life!)  

[f0dder]

(God, do some people ever need to get a life!) 

-40hz (December 14, 2010, 09:40 AM)

Oh, but they've just got a lot of life - all over their panties, down in mum&dad's basement.

[40hz]

.

[40hz]

(God, do some people ever need to get a life!)  

-40hz (December 14, 2010, 09:40 AM)

Oh, but they've just got a lot of life - all over their panties, down in mum&dad's basement.

-f0dder (December 14, 2010, 10:38 AM)

Awesome!    

---//---

Just thinking...maybe the Powers That Be could back off the Wikileaks thing a bit and devote some resources and attention to these guys? At least Wikileaks operates right out in the open, and is pretty clear about who they are and what their agenda is.

About the only thing Anonymous and Gnosis are going to accomplish is to garner sufficient "government interest" that the web will eventually be put under enough technical and legal constraints to guarantee that all future 'web antics' will become the exclusive domain of professional criminal gangs and government ops teams. (Small difference between the two when you think about it.)