Analysis of the Gawker compromise

As most of you probably know, Gawker media’s servers were compromised, resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. It means that if you’ve ever had an account on any of those sites, it was compromised.

It also means that if you like to re-use your passwords, your accounts at other sites could be compromised as well (including Gmail, Twitter, Hotmail, etc).

So, if you have an account on any of those sites, make sure to change your passwords ASAP! Not only at those Gawker sites, but everywhere you used the same password!

 

Analysis of the attack

We don’t know exactly how they got access to the site, but the attackers were “kind” enough to post a readme and tell their side of the story. You can read it here: http://sucuri.net/mirror/gawker-readme.txt

It seems it all started with one account getting stolen, followed by re-using the same password on another resources (email, basecamp, etc), followed by critical information stored on emails, followed by a mass compromise. You get the picture!

It teaches us a few lessons:

  1. Do not re-use your passwords.
  2. Access control: Restrict access to some resources by IP address.
  3. The importance of log analysis – If they were just looking at their logs, they would have detected the compromise a lot earlier.


Analysis of the compromised accounts

At a total, more than 1 million accounts were compromised (and 541,501 emails exposed). Of those emails, these are the numbers for each email service:

Gmail is the big winner, with more than 150k accounts, followed by Yahoo (100k), Hotmail (70k) and AOL (20k).

There was also quite a few accounts from .gov and .mil domains compromised (army.mil is the winner with 109, followed by navy.mil and nasa.gov):


Edit: At the time of this post, we published a list of compromised email addresses as a means for readers to easily check if they had been exploited. Due to the risk of those email addresses being used for other malicious reasons, we removed them from the post.

Another thing I found interesting is that many accounts had the same email address. Don’t know if they had fake accounts or what was it used for.

But, for example, tips@gawker.com had the following accounts: Gawker Jessica Jessica2 mgross kewalters jesseo jps eurotrash braftery ablagg gawktern gawkcolumnist gdelahaye pevans sintern egould dshafrir aholmes mtkacik aswerdloff jliu lneyfakh jgerson Robespierre Erica MarkDuffy Copyranter Rod Townsend Tionna Elizabeth Currid K. Kat WorthingtonMonet.

Maybe used internally or to help generate buzz in the comments?

The account chestshirecat@yahoo.com, had 20+ accounts: hom3land CallaTexodus TeresaHog OrielParis NoelleHammer SushantiTabalisha AddisonColgate AnnataFlubwib ShrimatiMabel QabilEspish RuthPhoenix LeslieNephele NanGebrony ZanipoloWolf WalterLibo AlvinaMabawza VeasnaAlcyone WilliamAtellus MelanieArvina OdetteHizer MarcusVibius SuryaCosta LarinaHaermm.

In this case, looking like a spammer…

Conclusion

Yes, this breach is serious stuff. Again, remember to change your passwords ASAP. In the next post we will do an analysis of the passwords used, but we are waiting to give time for people to change their passwords and take action.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.