Support NeoGAF

Stumpokapow · Dec 13, 2010

Borman said:
Im in the database, but dont seem to have my password leaked. Hoping that it stays that way, but based on the fact that I used password reset to access that account last, Im thinking I should be good as it should be something random. Hopefully.

If your email is in the database, change your password here. Seriously.

spidye · Dec 13, 2010

Stumpokapow said:
If your email is in the database, change your password here. Seriously.

even if I used another mail adress here.
and how can I see if my password got leaked

Borman · Dec 13, 2010

Stumpokapow said:
If your email is in the database, change your password here. Seriously.

I have, no worries.

Mecha_Infantry · Dec 13, 2010

I've been hit, someone just emailed me to check. I want to see what password I actually used on that account, but I am at work so I can't DL the torrent and pastebin isn't working. What are the alternatives, sorry if already been asked

edit* Fuck it doesn't matter about here, this was my old university email account, not my gmail

Fjolle · Dec 13, 2010

spidye said:
even if I used another mail adress here.
and how can I see if my password got leaked

You could check the first post for a guide.

Mecha_Infantry said:
I've been hit, someone just emailed me to check. I want to see what password I actually used on that account, but I am at work so I can't DL the torrent and pastebin isn't working. What are the alternatives, sorry if already been asked

I can send you the line from the db if you send me your email/username.

Mecha_Infantry · Dec 13, 2010

Fjolle said:
I can send you the line from the db if you send me your email/username.

OK, it's...

Haha you dummy!

ShinNL · Dec 13, 2010

Apparently I'm part of the encrypted list, awesome :lol I didn't know I had one of the rare names as an account (one that is quickly taken). I don't recall the password, so I guess it must've been an old one.

If anyone wants me to check their mail address for you, feel free to PM. Though this sounds a bit fishy, so I'm not sure if I'm helping.

Meus Renaissance · Dec 13, 2010

I'm sure a lot of those people in that list use the same password for other sites, even e-commerce websites. The danger being thieves could and probably will search through that database on PayPal and Amazon, for example, and find matches.

Ajemsuhgao · Dec 13, 2010

Kinda worried about this. I signed up on kotaku to comment on something like..two years ago. Once. And never used it again. My email address is in that list, but I have no idea what my password on the site is. I can easily reset it, but I'm wondering if I really need to change my other passwords, or if it was just some random password I made up(I tend to do that if I only plan on using the site once or twice). Is it illegal to download this torrent? Considering it, just to see what password I used. But if it's illegal.....

Fireblend · Dec 13, 2010

Ajemsuhgao said:
Kinda worried about this. I signed up on kotaku to comment on something like..two years ago. Once. And never used it again. My email address is in that list, but I have no idea what my password on the site is. I can easily reset it, but I'm wondering if I really need to change my other passwords, or if it was just some random password I made up(I tend to do that if I only plan on using the site once or twice). Is it illegal to download this torrent? Considering it, just to see what password I used. But if it's illegal.....

The password is encrypted anyway, so you'd need some way to decrypt it in order to see what password you used.

Just reset your passwords to be sure.

Stumpokapow · Dec 13, 2010

Ajemsuhgao said:
Kinda worried about this. I signed up on kotaku to comment on something like..two years ago. Once. And never used it again. My email address is in that list, but I have no idea what my password on the site is. I can easily reset it, but I'm wondering if I really need to change my other passwords, or if it was just some random password I made up(I tend to do that if I only plan on using the site once or twice).

Change the password associated with the email address so that no one can compromise your email address and use it to reset passwords elsewhere. Change your password on any site that you think have used the same password as you did on Kotaku. You could have done this in less time than your post took!

Is it illegal to download this torrent? Considering it, just to see what password I used. But if it's illegal.....

Hahah don't worry about downloading the torrent.

Shao Kahn Brewing a Stew · Dec 13, 2010

The torrent and all the info is down, by the way. Soon, they will all be taken down. Send you a PM regarding your account, by the way.

deadbeef · Dec 13, 2010

So, which parts of the torrent are encrypted. Did gawker use MD5 to hash the passwords/e-mail or was that something someone did just for that google spreadsheet?

I guess that explains why simple passwords fail first - must have run some sort of dictionary-based attack on the passwords (not sure how a dictionary attack would work on e-mails though, so that's why i'm confused)

Shao Kahn Brewing a Stew · Dec 13, 2010

deadbeef said:
So, which parts of the torrent are encrypted. Did gawker use MD5 to hash the passwords/e-mail or was that something someone did just for that google spreadsheet?

I guess that explains why simple passwords fail first - must have run some sort of dictionary-based attack on the passwords (not sure how a dictionary attack would work on e-mails though, so that's why i'm confused)

All passwords are encrypted. They (as in hackers) decrypted some 70,000 accounts though to show that they can decrypt and show the vulnerability of Gawker's encryption.

ShinNL · Dec 13, 2010

It's definitely not just a dictionary attack because one of the compromised passwords was 2+2=5.

I thought it was a pretty good one :lol

MIMIC · Dec 13, 2010

I don't think I've ever been to Gawker and if I did, it had to have been several years ago (using an email that I never use now). So far, none of the email addresses (that I remember :lol) have shown up.

-x.Red.x- · Dec 13, 2010

Soneet said:
It's definitely not just a dictionary attack because one of the compromised passwords was 2+2=5.

I thought it was a pretty good one :lol

:lol :lol

so if i search with my MD5 hash(?) and nothing came up

im good?

elseanio · Dec 13, 2010

Commented on a Gizmodo article soo long ago!

Can't remember the password I used for the site (tried all my usual, and nothing let me in.)

My account was in the encrypted list, but changed my password for my other accounts anyway

Shao Kahn Brewing a Stew · Dec 13, 2010

MIMIC said:
I don't think I've ever been to Gawker and if I did, it had to have been several years ago (using an email that I never use now). So far, none of the email addresses (that I remember :lol) have shown up.

mimic_57****** is your email address by any chance? If so, your password is cracked.

deadbeef · Dec 13, 2010

Soneet said:
It's definitely not just a dictionary attack because one of the compromised passwords was 2+2=5.

I thought it was a pretty good one :lol

Haha. Yeah, I imagine the tools are more sophisticated than just a dictionary attack, but I've never looked into them. Surprised they were using MD5. I knew it was weak, but I didn't know the extent of it until I glanced at wikipedia.

The security of the MD5 hash function is severely compromised. A collision attack exists that can find collisions within seconds on a computer with a 2.6Ghz Pentium4 processor*

* - http://www.win.tue.nl/hashclash/On Collisions for MD5 - M.M.J. Stevens.pdf

Pretty irresponsible of gawker to be using MD5 to store password hashes.

This is at least a teachable moment re: managing passwords for yourself.

ShinNL · Dec 13, 2010

-x.Red.x- said:
:lol :lol

so if i search with my MD5 hash(?) and nothing came up

im good?

Yeah, I think that list is basically the encrypted list with MD5 encrypted e-mail addresses so people can check if they're actually on the list..

Being on the encrypted list doesn't mean too much (still, change password ASAP just in case), but there's a chance you can also be on the parsed or dumb list, which are passwords accessible right way.

Note that this is just a mail check and apparently there are also entries without e-mails (but do have the username & password data). So it's not 100% safe even if you're not on the MD5 checklist.

deadbeef said:
Haha. Yeah, I imagine the tools are more sophisticated than just a dictionary attack, but I've never looked into them. Surprised they were using MD5. I knew it was weak, but I didn't know the extent of it until I glanced at wikipedia.

Pretty irresponsible of gawker to be using MD5 to store password hashes.

This is at least a teachable moment re: managing passwords for yourself.

They're actually using DES. The MD5 encrypted list is just someone who put the list online (so it's basically a double encryption now) so people can check their e-mail addresses.

Shao Kahn Brewing a Stew · Dec 13, 2010

I think MD5 encryption was added to that google page, for privacy sake. From what I've read: Gawker uses DES for hash, which is still pretty weak and can usually be brute-forced in a few days.

MIMIC · Dec 13, 2010

shagg_187 said:
mimic_57 is your email address by any chance? If so, your password is cracked.

Nah. Not mine.

Dever · Dec 13, 2010

So Anon supports free speech and net neutrality, but if you criticize them on the internet(or elsewhere), they'll fuck you up.

Although they're nowhere near a homogenous group so ofc they weren't all behind this.

Shao Kahn Brewing a Stew · Dec 13, 2010

Dever said:
So Anon supports free speech and net neutrality, but if you criticize them on the internet(or elsewhere), they'll fuck you up.

As said before, Gawker staff (Nick) confronted 4chan by dissing them and challenging them to come talk to him (while providing his email address). They decides to 1up his diss and get his password. Then, the hackers got their chatlog where they said arrogant stuff while thinking they "won the battle" against 4chan, which lead to this.

Ripclawe · Dec 13, 2010

Thanks to shagg_187: for the method of finding out. Thankfully I am not on there.

Suitcase Test · Dec 13, 2010

shagg_187 said:
As said before, Gawker staff (Nick) confronted 4chan by dissing them and challenging them to come talk to him (while providing his email address). They decides to 1up his diss and get his password. Then, the hackers got their chatlog where they said arrogant stuff while thinking they "won the battle" against 4chan, which lead to this.

It also wasn't 4chan that hacked them. I read they don't even want to be associated with that website.

deadbeef · Dec 13, 2010

Soneet said:
They're actually using DES. The MD5 encrypted list is just someone who put the list online (so it's basically a double encryption now) so people can check their e-mail addresses.

Oh okay, thank you

jufonuk · Dec 13, 2010

i got a hit though my acount at kotaku, got stopped and I sign into hotmail with a different password, gonna change my amazon password just in case.

I dont use hotmail for gaf lol, my work e-mail is not on the list phew

my gmail account is on the list??? wtf??? shit better change my lovefilm password just in case..

Shao Kahn Brewing a Stew · Dec 13, 2010

jufonuk said:
i got a hit though my acount at kotaku, got stopped and I sign into hotmail with a different password, gonna change my amazon password just in case.

I dont use hotmail for gaf lol

OMG Completely forgot. Thank you!

Mecha_Infantry · Dec 13, 2010

Got the file and yeah my email is there, but I have no idea wtf I used to log in, so hopefully safe. Back then I don't think I was using the password mechanism I use now. And any account/website to do with money I now use my Mobile Me account so no worries there.

Metalmurphy · Dec 13, 2010

I don't know who Team Hint is, but this was awful nice of them

Hi there,
Hint wanted to let you know that your email address and password that you used to signup for Gawker (or one of its sites) were hacked. Forbes' coverage is here
In situations like this, time is of the essence, which is why we were surprised & shocked to find that Gawker Media hadn't taken the initiative to notify you of this privacy breach immediately. We HIGHLY recommend you change all of your online passwords as a precaution.
-The Team at Hint
(This is a one time email)

There's no "fake link" in the mail to change passwords or anything, it's a genuine mail warning me, from someone that has nothing to do with Gawker.

Shao Kahn Brewing a Stew · Dec 13, 2010

Metalmurphy said:
I don't know who Team Hint is, but this was awful nice of them

There's no "fake link" in the mail to change passwords or anything, it's a genuine mail warning me, from someone that has nothing to do with Gawker.

Yeah, it looks like companies are capitalizing on this and emailing everyone about this leak, as well as linking to their website. Hint is currently under beta so they most likely need users. 1.3 million active email addresses are too much to ignore.

jorma · Dec 13, 2010

shagg_187 said:
Yeah, it looks like companies are capitalizing on this and emailing everyone about this leak, as well as linking to their website. Hint is currently under beta so they most likely need users. 1.3 million active email addresses are too much to ignore.

Isnt that spam and illegal?

Metalmurphy · Dec 13, 2010

jorma said:
Isnt that spam and illegal?

If it's warning people about the problem, when Gawkes isn't, I think we should let this one slide. Even if they are linking to their website they're doing it as a secondary intention.

Shao Kahn Brewing a Stew · Dec 13, 2010

jorma said:
Isnt that spam and illegal?

Yes and yes. It's "public service" since they are spreading news but they are also linking to their website. They also have a "redirecting link" with unique code, which will show them that the user is indeed active, and that way they can spam the fuck outta them when they feel like it (if they feel like it, of course).

Chinner · Dec 13, 2010

oh no, but how will i found out about kotakus new article about how japanese girls are the best because they make alot of noise during sex?????

wolfmat · Dec 13, 2010

Probably been said already, but I'm sure this was a "rogue" action.

crowphoenix · Dec 13, 2010

I think I made an account at Kotaku before I signed up on Gaf, but I can't remember. Changing all my passwords anyway. Just to be, hopefully, safe.

MIMIC · Dec 13, 2010

Phew. Just checked and I'm not in the hacked database.

And yes....dumb passwords are dumb :lol

Seth C · Dec 13, 2010

And this is why we don't ever trust Kotaku. Not after the bailed on the GAF E3 party. Never forget.

MIMIC · Dec 13, 2010

There's a Capcom employee on the list @_@

Alucrid · Dec 13, 2010

Awww, I'm in there. :|

Luckily I don't use that pw for anything too pressing, just random sites no one else probably goes to..sites pretty much as useless as Gawkers.

I don't like Gawker, but why do people have to fuck over others to get back at the site. I mean, really.

tass0 · Dec 13, 2010

MIMIC said:
There's a Capcom employee on the list @_@

Quick, use his details to find info on Onimusha 5!

Shao Kahn Brewing a Stew · Dec 13, 2010

tass0 said:
Quick, use his details to find info on Onimusha 5!

:lol

rainking187 · Dec 13, 2010

So if nothing shows up using the MD5 search I should be good? I mean I'm changing my password for everything anyways, but I remember a different site I signed up for every five minutes so I have to run and change that password too. Have to change everything because I can't remember what my fucking Gawker password was. It's complete giberish currently so I don't have to worry about this in the future.

Stumpokapow · Dec 13, 2010

Seth C said:
And this is why we don't ever trust Kotaku. Not after the bailed on the GAF E3 party. Never forget.

you're thinking of s p o n g

Shao Kahn Brewing a Stew · Dec 13, 2010

rainking187 said:
So if nothing shows up using the MD5 search I should be good? I mean I'm changing my password for everything anyways, but I remember a different site I signed up for every five minutes so I have to run and change that password too. Have to change everything because I can't remember what my fucking Gawker password was. It's complete giberish currently so I don't have to worry about this in the future.

MD5 search is a way of ensuring that email addresses you used show up or not. Note that this is in NO WAY of assuring your "USER ID" is on the list or not unless you have the torrent. It's a simpler/safer route but for more detail, you need to search for username if required.

That said, you DO have a gawker account. PM-ing you the detail. Change passwords regardless!

sprsk · Dec 13, 2010

Eek, I did sign up for that shitty site at some point. The database shows .gmail.com and the md5 for my e-mail addess but nothing else.

Either way, passwords be changed.

Why punish the rest of the internet for some beef with a tech tabloid?

Yoshiya · Dec 13, 2010

A ban toll of only two so far? I guess GAF escaped relatively unscathed

(oh my poor eyes)

Support NeoGAF

Gawker media taunts Anonymous; gets hacked

listen to the mad man

Member

Member

Banned

Member

Banned

Member

Member

Member

Banned

listen to the mad man

Banned

Member

Banned

Member

Banned

Member

Member

Banned

Member

Member

Banned

Banned

Banned

Banned

Banned

Member

Member

not tag worthy

Banned

Banned

Member

Banned

is now taking requests

Member

Banned

Banned

Confirmed Asshole

Banned

Banned

Member

Banned

Banned

Banned

Banned

Member

listen to the mad man

Banned

force push the doodoo rock

Member

Similar threads