FBI Begins Official Probe Into Gawker Hack

The serious hack of Gawker Media’s servers that exposed end user password and email information is now being investigated by the FBI, according to reports.

A group known as ‘Gnosis’ has taken credit for the attack, and put the data it swiped into a file that was initially available via The Pirate Bay.

Rumours of the hack began to circulate 11 December, and Gawker confirmed them with a warning a day later. According to the company, the breach impacted users of several sites, including users of Gizmodo, Gawker and Deadspin. In addition, the attackers made off with usernames and passwords for Gawker’s staff, as well as Gawker’s source code and chat logs of discussions between employees.

Password Overload

The password information was encrypted, but was still vulnerable to being cracked – a fact underscored by the subsequent compromise of Twitter accounts belonging to some users. Many of those passwords were simplistic – an analysis by Duo Security found the most common passwords were “123456” and “password.”

There are so many websites that ask users to create a password that it is impossible to keep track of them all, said Richard Stiennon, chief research analyst at IT-Harvest. People treat many of these sites as inconsequential, and therefore don’t bother to create strong passwords they will immediately forget, he added, something that is fine for a media site like Gawker, but more problematic for things like email or Facebook accounts.

User Advice

“(The) number one best practice is never use a word that can be found in the dictionary,” he said. “A simple way to create a hard to guess password is to use the first letter of each word in a phrase. ‘When IT Rains it Pours’ becomes WIRIP. Add a number to make it eight characters long – WIRIP421. Change the “I” to “!” and you have a pretty strong password you can remember: W!R!P421.  Do that for sites you pay for and ones that are important to you.”

In a ‘Frequently Asked Questions’ posted in response to the incident, Gawker advised users to reset their passwords. In addition, the company said it is bringing in an independent security firm to improve its infrastructure security.