Support NeoGAF

[panda21]

So people possibly having valuable information or their identities stolen is worth showing that an already established shit site is in fact shit?

its not black and white, there is some positive in it even though it really sucks for those who got hit?

 

[ZombieSupaStar]

oh no, but how will i found out about kotakus new article about how japanese girls are the best because they make alot of noise during sex?????

wtf that was actual article

 

[tubgirlsplumber]

Good job I didn't sign up for any of these shitty sites then.

 

[radioheadrule83]

What were the passwords stored as?

Where they not salted / hashed on the db? Or did they acquire the passwords some other way?

 

[Jinfash]

Yes, they would.

They wouldn't have lost any imaginary "e-cred" by saying "We could have decrypted all of the account passwords in the database if we wanted to, but we decided just to do the ones of the Gawker editors since they're the d-bags we have beef with."

You really think Gawker would be as screwed as they are now if the passwords weren't released? Do you honestly think the public reaction would be severe as it is if the private information of 1+ million users weren't compromised?

It's a rhetorical question, by the way.

 

[Dali]

What were the passwords stored as?

Where they not salted / hashed on the db? Or did they acquire the passwords some other way?

#
#
After gaining access to gawkers MySQL database we stumble upon a huge
#
table containing ~1,500,000 users. After a few days of dumping we
#
decided that 1.3 million was enough.
#

#
Gawker uses a really outdated hashing algorithm known as DES (Data Encryption Standard).
#
Because DES has a maximum of 8chars using a password like "abcdefgh1234" only the
#
first 8 characters "abcdefgh" are encrypted and stored in the database. If your
#
password is longer than 8 characters you only need to enter the first 8 characters
#
to log in!

From the text file.

 

[Alucrid]

You really think Gawker would be as screwed as they are now if the passwords weren't released? Do you honestly think the public reaction would be severe as it is if the private information of 1+ million users weren't compromised?

It's a rhetorical question, by the way.

But do you really think this'll cause the 'downfall' of Gawker? The chatlog showed that they weren't too worried about it. All they're going to do is spruce up security a bit. It's not like they lose their first born or something like that.

 

[Futureman]

where is this list?

I don't think I ever signed up, but I MAY have a few years ago at Gizmodo. I've changed my password a bunch of times since then, but I want to see if I'm on there.

 

[rainking187]

But do you really think this'll cause the 'downfall' of Gawker? The chatlog showed that they weren't too worried about it. All they're going to do is spruce up security a bit. It's not like they lose their first born or something like that.

I think the fact that they didn't seem to be worried about a million people getting their accounts hacked is what's going to screw Gawker. Will be deleting my account as soon as it is possible.

 

[Stumpokapow]

What were the passwords stored as?

Where they not salted / hashed on the db? Or did they acquire the passwords some other way?

They were hashed but not salted.

 

[Valkyr Junkie]

You really think Gawker would be as screwed as they are now if the passwords weren't released? Do you honestly think the public reaction would be severe as it is if the private information of 1+ million users weren't compromised?

It's a rhetorical question, by the way.

If they had hacked Amazon, yes. But Gawker is a blog network; there's no need to make a political statement or "bring down the man." They would have already accomplished what they needed, which is to make the people that run Gawker look like incompetent tools.

 

[CharlieDigital]

If they had hacked Amazon, yes. But Gawker is a blog network; there's no need to make a political statement or "bring down the man." They would have already accomplished what they needed, which is to make the people that run Gawker look like incompetent tools.

wut?

 

[Zilch]

I think the fact that they didn't seem to be worried about a million people getting their accounts hacked is what's going to screw Gawker. Will be deleting my account as soon as it is possible.

maybe you should go to Gawker's site and look at the posts that have been made in the last couple of hours. Commenters are returning and commenting like nothing happened.

 

[samus i am]

maybe you should go to Gawker's site and look at the posts that have been made in the last couple of hours. Commenters are returning and commenting like nothing happened.

Exactly. It really isn't a big deal.

 

[Hugbot]

If they had hacked Amazon, yes. But Gawker is a blog network; there's no need to make a political statement or "bring down the man." They would have already accomplished what they needed, which is to make the people that run Gawker look like incompetent tools.

This makes gawker look far worse. There's a lot less spin room for gawker if the passwords have already been released.

maybe you should go to Gawker's site and look at the posts that have been made in the last couple of hours. Commenters are returning and commenting like nothing happened.

Well, people are idiots. No one with a lick of sense would be going back the day after all this.

 

[Jinfash]

Exactly. It really isn't a big deal.

lol how many are we talking about? I got screwed and I'm not even a frequent commenter. If you really wanna gauge the effects to this go to twitter.

 

[sangreal]

Exactly. They would have accomplished the exact same thing even with leaving out commenter details.

http://www.mediaite.com/online/excl...ains-method-and-reasoning-behind-his-actions/

The database is for the media more than anything. Releasing the source code to a site is all very well and will cause a splash, but only niche users will be interested in viewing it and sharing it, because the average joe won’t really care about Gawkers (rather interesting) PHP framework. However if we release the source with 1,300,000 emails and with a portion of them cracked it will (We hope) cause a bigger stir.

 

[bistromathics]

What were the passwords stored as?

Where they not salted / hashed on the db? Or did they acquire the passwords some other way?

They were hashed, but not salted.

Crackable passwords are crackable.

 

[Jinfash]

http://www.mediaite.com/online/excl...ains-method-and-reasoning-behind-his-actions/

Well said Gnosis. If my pass wasn't on that list, I might even give you a thumbs up.

 

[Zilch]

Well, people are idiots. No one with a lick of sense would be going back the day after all this.

If GAF was compromised would you never come here again?

I mean, you can't delete your GAF account. Is that outrageous?

 

[Hugbot]

If GAF was compromised would you never come here again?

I mean, you can't delete your GAF account. Is that outrageous?

If GAF's shitty security led to all of those usernames/passwords getting out like this, no, I wouldn't come back the day after. That would be idiotic.

 

[Phoenix]

I think the fact that they didn't seem to be worried about a million people getting their accounts hacked is what's going to screw Gawker. Will be deleting my account as soon as it is possible.

Gawker doesn't even seem that concerned about giving you the functionality to delete the account.

 

[Zilch]

If GAF's shitty security led to all of those usernames/passwords getting out like this, no, I wouldn't come back the day after. That would be idiotic.

Just FYI, only internet nerds care about what other internet nerds do. The rest of the world shrugs and moves on.

 

[Phoenix]

Well, people are idiots. No one with a lick of sense would be going back the day after all this.

Not really. Most people will simply push new passwords or sign-in with Facebook (a path immune to these sorts of antics). It IS a big deal and the fact that Gawker hasn't really notified people is actually a crime in California and I'm hoping someone takes them to task on that one.

 

[Meadows]

Can anyone link to that website that tells you how long it would take to hack your password?

edit: found it nvm

 

[Hugbot]

Just FYI, only internet nerds care about what other internet nerds do. The rest of the world shrugs and moves on.

OK? I don't care that people are returning, I just think it's stupid as hell to be continuing to use an obviously compromised site. But that's just the common sense in me talking.

 

[Phoenix]

Can anyone link to that website that tells you how long it would take to hack your password?

edit: found it nvm

Until the 'tards at gawker update from DES - that site doesn't help.

 

[cuevas. PhD.]

OK? I don't care that people are returning, I just think it's stupid as hell to be continuing to use an obviously compromised site. But that's just the common sense in me talking.

Why not use a different password for each site and a different email for important sites like banks and those that have your CC info?

 

[electroshockwave]

Would someone with the torrent check for my email if I PM it to them? I'm not quite sure what email I used to sign up. Everything seems to be fine so far and I'm changing passwords but I'd like to be sure.

 

[Deadly Cyclone]

I still don't get why they would hack them, it's like some macho thing saying you stole passwords and information by hacking when in reality it is just pathetic.

 

[Why would you do that?]

From the text file.

Oh, good to know. My password is longer than 8 characters, so they don't even have my old password.

 

[Meadows]

Until the 'tards at gawker update from DES - that site doesn't help.

no I didn't have my password on that site, I just wanna make my passwords extra secure. seems like we all need to protect ourselves more than ever now in this new data war.

 

[mightynine]

I've gotten emails from a couple of friends saying they've gotten spam from me - welp, time to change the passwords!

 

[Shalashaska]

Why not use a different password for each site and a different email for important sites like banks and those that have your CC info?

Best thing to do. Problem can sites such as GAF that require you don't sign up with a 'freemail' account.

 

[Phoenix]

Why not use a different password for each site and a different email for important sites like banks and those that have your CC info?

Because most people visit a lot of sites and don't want to remember a different password for each one. Its so easy to sign up for these things that people don't even remember most of the sites they created accounts on to begin with.

 

[cuevas. PhD.]

Because most people visit a lot of sites and don't want to remember a different password for each one. Its so easy to sign up for these things that people don't even remember most of the sites they created accounts on to begin with.

Your browser can remember the passwords to those sites...

 

[deadbeef]

Your browser can remember the passwords to those sites...

Can I get a browser to use that master keyring of passwords from a USB drive or something like that?

 

[giga]

How have these fucks not sent their users an email notifying them of the breach yet? :lol

 

[Jinfash]

Your browser can remember the passwords to those sites...

Those passwords can also be deleted with a press of button by anyone using the computer; like a paranoid friend who doesn't know the cognito mode exists, for example.

I've had that happen to me countless of time.

The only real way of remembering all your passwords is to either jot them down (lol) or use a third party app like LassPass or 1Password to this for you. Average Joes usually do neither, unfortunately.

 

[Maddog]

How have these fucks not sent their users an email notifying them of the breach yet? :lol

Seriously. They should have done this immediately.

 

[Alucrid]

Those passwords can also be deleted with a press of button by anyone using the computer; like a paranoid friend who doesn't know the cognito mode exists, for example.

I've had that happen to me countless of time.

The only real way of remembering all your passwords is to either jot them down (lol) or use a third party app like LassPass or 1Password to this for you. Average Joes usually do neither, unfortunately.

...I eventually remember the password if it's used enough.

I probably have 30+ passwords memorized by now.

 

[Deadman]

http://www.slate.com/id/2277768/

Tells you if your email was on the list or not.

Mine was on the list but the pass still encrypted. I changed everything before anyway.

 

[Jinfash]

...I eventually remember the password if it's used enough.

I probably have 30+ passwords memorized by now.

Good for you, good for you...

 

[SimleuqiR]

http://www.slate.com/id/2277768/

Tells you if your email was on the list or not.

Mine was on the list but the pass still encrypted. I changed everything before anyway.

Your password was released, but it's still encrypted. It's still a good idea to change it.

That's a much faster way to find out and it tells you if it is still encrypted. Thanks.
My lifehacker (the only website/blog worth visiting from them) account was not active and I think I used it once. Password was probably something trivial and not worth remembering.
I usually change my passwords every six or so months to my main gmail account and e-commerce sites. But this shows that you can't really rely on any of these blog sites to keep your information safe.

 

[Kritz]

I'm wondering if someone with the database could do me a favour? And I realise that the favour sounds kinda sketchy.

There are four results for my (really large) workplace on the google docs database. I'd like to know who those four people are so I can let them know. Not interested in their passwords, just the names.

I guess you should PM me for details. May not respond right away (heading to work now ).

 

[Metalmurphy]

I'm wondering if someone with the database could do me a favour? And I realise that the favour sounds kinda sketchy.

There are four results for my (really large) workplace on the google docs database. I'd like to know who those four people are so I can let them know. Not interested in their passwords, just the names.

I guess you should PM me for details. May not respond right away (heading to work now ).

Not sure I understand what your asking... If you know there are 4 results then you already know who they are no?

 

[Kritz]

Not sure I understand what your asking... If you know there are 4 results then you already know who they are no?

I know that four results came from my work domain.

I don't know the names.

Because the doc doesn't tell you the actual email account. It just tells you the domain.

 

[Metalmurphy]

I know that four results came from my work domain.

I don't know the names.

Because the doc doesn't tell you the actual email account. It just tells you the domain.

PM me the domain name.

 

[sangreal]

They were hashed but not salted.

I'm pretty sure they used a random 2-letter salt. If they weren't salted, all of the usernames that use 'password' would have an identical hash for the password, which isn't the case. Here is an example of one of the 'password' hashes from the file: XrN/XA.FNTQ9.

crypt() returns the salt as the beginning of the string. Try taking the word 'password' and running it through here: http://www.functions-online.com/crypt.html

Use Xr as the salt, and what do you get? XrN/XA.FNTQ9.

 

[Scuba Steve]

I hope this all takes care of Gawker and no one returns to their blogs