In the second half of 2010, Gawker, a blog network based in New York City, posted several articles criticising well-known hacking groups, including 4chan and Anonymous.
They became embroiled in a mud-slinging battle with the hackers, at one point even goading the hackers to attack them, including their home addresses. Finally, on 13 December 2010, a group known as Gnosis hacked into Gawker’s servers, downloaded their database (containing 1.3 million user records), decrypted over 200,000 of the passwords, and then made everything publicly available.
Gnosis claimed to have acted due to the arrogance of Gawker towards hacking groups, but this was not Gawker’s only flaw. Gawker used outdated software, an insecure encryption routine (it had been compromised in January 1999), and their database was public facing. It turned out that their arrogance was not deserved.
After the attack, they were forced to post an embarrassing confession to their users, urging them to change their passwords immediately. Understandably the websites run by Gawker suffered falling user numbers. Many users, myself included, not only had to change their password on Gawker, but on all websites that they had used the same password on.
For me, this included Amazon, eBay, my bank, PayPal, Google, Facebook, and many others. I never realised how much of my life is lived through the internet now, and how vulnerable I would feel when this was potentially compromised by others.
Admittedly, this was partly my fault. My password was simple, but it wasn’t the worst: over 3000 of the users whose passwords were decrypted had used ‘123456’. My main fault was that I had used the same password on multiple websites, putting all of my eggs in the same basket.
So what should I have done? The simplest suggestion is to use a different password on every website that you register with, but considering that the average internet user has 25 different online accounts (and I have many more than this), this is just not possible.
The best suggestion that I’ve heard is to use a secure password and then append a couple of characters on to the end that relates to the website that you’re on. For example, suppose your base password is ‘sh3dC4stle’ and you choose to use the second and penultimate letters of the website name on the end of the password, then your password for Amazon would be ‘sh3dC4stlemo’.
When we submit our information to a website, we are putting our trust in that website to hold this information securely. For this reason, website developers should treat user data as if it were their own (often it is).
They should keep up with the latest technologies and techniques relating to security and ensure that they use these. Also, they shouldn’t needlessly risk the security of the data, either when it is stored or when it is in transit. Gawker was guilty of neglecting these simple rules, by using outdated software and by inviting attack. Let us hope that their experience has convinced other developers to raise the drawbridge.