A group calling itself Gnosis has pulled off a massive heist of data from Gawker Media, the New York-based blog network owned by Nick Denton.  But perhaps "massive" is a bit of an understatement.

Gawker, perhaps best known for is unusual procurement of a lost iPhone prototype and ensuing fury from Apple, owns the popular blogs Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, Io9, and Fleshbot.  In a blog post on Sunday, the petulant commented, "We're deeply embarrassed by this breach."

You Might Want to Change Your Password Now

Posted around the internet are juicy nuggets of what was once Gawker and its customer's secure private data.  The posts include the site's entire PHP-heavy source (a fun read if you're a web dev), thousands of user passwords, server logs, staff emails, staff chats, and tons of information on Gawker chief Nick Denton and his various (compromised web accounts).

After 17 hours of cracking, the Gnosis team is offering up over 273,789 passwords of Gawker users.  And they say they expect to have 500,000+ before they're done.  That represents roughly half of the purloined database of 1,247,897 user entries, which in turn is roughly 80 percent of the entire accounts on the site (in other words, the hackers expect to compromise +30% of the total users' passwords).

Interestingly, 2,650 users were using either "password" or "qwerty" of their password.

Many Gawker staffers seemed be using short common words or pop-culture names as their passwords.  And Nick Denton appears to be a repeating four digit pattern.

The group mocks:

You would think someone like Nick Denton who likes to run his mouth        

and taunts such an unforgiving mass like Anonymous, would use a more secure password than "24862486". The sad thing is he probably believes this password is "secure" because he likes to use it everywhere!

Gawker was using an outdated encryption algorithm, DES ("Data Encryption Standard") so the hackers only needed to figure out the first eight characters of the password to log in.

The result is that if you have a longer password, your password and the rest of your online accounts should be safe. 

In an interview with The Next Web, a member of the group states, "We apologize that you were caught in the crossfire of this attack, if you have a sufficiently good password over 8 characters then you are most likely not at risk, anyone could have did what we did, it was wide open for everyone to exploit, we just got there first."

If your password was insecure and you use it on other locations, beware.  Gnosis already emphasized this fact by posting tweets to the Gawker account and posting pictures and text to Nick Denton's personal Flickr account.

HD Moore, a security research who works for ComputerWorld, has outlined a procedure for you to check if your email has been compromised:

Step 1: Go to http://pajhome.org.uk/crypt/md5/" rel="nofollow, enter an e-mail address in the 'Input' field, click the 'MD5' button, then copy the hash from the 'Result' field.

Step 2: Go to http://www.google.com/fusiontables/DataSource?dsrcid=350662, click 'Show Options,' then paste the already-obtained hash in the field to the right of the '=' symbol. Change the left-most field to 'MD5.' Click 'Apply.'

So why did they do it?

Gnosis, according to the TNW interview, is an invite-only hacking and coding club consisting of "13 members, with three 'others'".  The group seems unconcerned about retaliation from authorities, insisting that the attack will just force Gawker to be more open and humble.

The group frequents the popular image board site 4chan, which Mr. Denton publicly taunted over the summer.  And their Twitter posts and interviews reveal that at least some of their members support Wikileaks.

Yet Gnosis is not 4chan or "Anonymous" -- the greater pool of 4chan hackers.  The group has made a great effort to emphasize that point.  Likewise, they do not appear to have any affiliation to Wikileaks, other than that they are admirers.  They reportedly have no affiliation with recent attacks on banks that opposed Wikileaks; those attacks were reportedly the work of Anonymous.

As to why they did the attack, aside from "helping" Gawker realize that its security was weak, they say that they were inspired by Mr. Denton's arrogance, which he displayed towards the tech-savvy 4Chan community.

In the TNW interview, the group comments, "We read about [Mr. Denton's insulting comments towards 4Chan] as they happened and thought nothing of them but a member brought it up and we decided to see if we could get inside Gawker but the large gap was because we didn’t really care at the time.  But after a quick pentest we discovered how truly arrogant they were, which makes more sense if you know the levels of security within Gawker."

The group has ruled out conducting another attack of similar scope in the near future, but did mention that they have several "project" they are working on.  States the group, "Well, we have a few pokers in the fire, but nothing we can discuss. We will however re-visit Gawker sometime in the future and see if they have improved their security and fixed the numerous holes. I hope they will, they mentioned they were hiring IT experts, whatever that means."

In an interview with GeekoSystem, the group [perhaps jokingly] suggests that Mr. Denton hire them for security consultation.  Comments a group member, "They made several mistakes which contributed to their compromise - leaving passwords literally lying around, using the same password for multiple accounts and services (A lot were weed related, perhaps they had been smoking a bit too much and forgot some basic security principles? (GANJA framework anyone?!)). Unfortunately, I am afraid that until Gawker Media *do* hire us we cannot report fully on any of our findings. Sorry Nick!"

What Was Learned

Ultimately, if there's one thing this incident reminded the general public of, it's that the web is still very much like the Old West.  Those who feel like it's a warm and safe place are underinformed.

If you insult the wrong person in this environment, there's a good chance you will be attacked.  If you and your employers were smart, such attacks may fail leaving hackers with only "undesirable" routes like distributed denial of service.  But a lot of it comes down to just how much you anger certain individuals.  The angrier some folks get, the more they'll fully leverage the ever growing toolkit of vulnerabilities.

Is this wrong?  Many would argue it is.  Exposing users' email addresses could lead to them getting spammed, but exposing their passwords is far more dangerous.  While many of the passwords were likely used exclusively on the Gawker network, other users may find multiple accounts across the web compromised.

But at the end of the day right and wrong won't help you out a whole lot.  Like in the Old West, the authorities likely aren't going to catch the bands -- not all of them at least.  So for the most part you have to fend for yourself.

Use secure passwords.  Passwords should be at least 16 characters -- a good way to be able to accomplish this with something memorable is to use a passphrase.

Use separate passwords, respectively, for business accounts, important private accounts (e.g. your Facebook/Twitter), and extraneous private accounts (e.g. your Gawker or DailyTech login).

If your information is compromised, change all of your affected passwords and inform pertinent administrators as soon as possible.  Multiple password changes may be necessary to truly resecure your account.