Gawker Media, the publisher of LifeHacker, Gizmodo and a couple of other popular blogs, is the latest major victim of a hackers' attack. The CMS was compromised and 1.5 million usernames and passwords have been stolen.
At first the reaction was that this can't be true. However, soon after decrypted pairs of username/password surfaced on the Web, denial wasn't possible anymore and Gawker Media admitted that they had become a victim of a hacking attack.
What Has Been Taken from Gawker Media?
Gawker Media isn't the first high-profile victim of a hackers' attack and it won't be the last. The magnitude of damage they suffered isn't the worst in history but still the damage is quite significant. It has been reported that nine sites published by Gawker Media have been hacked into and that hackers have stolenthe emails, usernames and passwords of around 1.5 million users.
Most of these accounts are commentor accounts but there were also vital accounts, for instance those of Gawker Media owner Nick Denton and other Gawker employees. The passwords were stored in encrypted form but since many of the passwords were common words or common passwords (like "password" or "qwerty" for example, which were used by more than 2,600 users!), a simple brute-force attack managed to crack them.
Since many users tend to use the same password for many sites, a consequence of the decryption was that after the hackers obtained a user's Gawker credentials, they used them to log into other sites, such as Twitter accounts, and post from there.
In addition to the passwords, the bigger damage is that the content management system and the source code of Gawker Media have also been compromised. Gawker Media are running their proprietary system and they definitely didn't plan to go open source. Code exposure is the most serious blow for them -- now everybody can look for vulnerabilities in the code and use them in the future.
The Long Arm of Wikileaks Supporters?
At first, there were some leaks that Wikileaks supporters are involved. Later some rumors about involvement from the 4chan appeared but finally the Gnosis group surfaced and took responsibility. In an interview with the Next Web a Gnosis member explains more about the attack and what motivated them to do it. In his (or maybe her?) words, it was a piece of cake to break into Gawker's property because of the low security they had.
Even if there is some bragging about the ease of penetration, it isn't a surprise that sites with low or no security at all are easy victims. So, if you don't want to invite hackers to have some fun at your expense, do your homework and secure your site and CMS.
Security, Security, Security
Securing a site and CMS is a never ending task and it involves millions of activities. Still, there is no insurance policy against becoming a hack victim. The best you can do in such cases is to try to minimize the damage. No matter how great your security is, you can never be sure that your site is hack proof. But if you neglect basic security practices, then the question is not if, but when your site will be hacked.
In the case of Gawker Media, hackers didn't disclose exactly which vulnerabilities they exploited but if the majority of users had chosen really strong passwords, then at least the disclosure of private data would have been a lesser problem.