Gawker breach prompts LinkedIn, Yahoo password resets
The recent theft of approximately 1.3 million account details from the servers of online media company Gawker has prompted password resets at a number of popular websites, including Yahoo, LinkedIn and Blizzard Entertainment's World of Warcraft.
Social media site LinkedIn said it has identified a “very small fraction” of its members whose accounts could potentially be affected by the breach.
“As we closely monitored the situation, we decided it was imperative to take pre-emptive action to help ensure that those leaked passwords were not being used to attack any LinkedIn members,” Vincente Silveira, principal product manager at LinkedIn, wrote in a blog post Tuesday.
Gawker disclosed on Sunday that its servers were compromised by hackers to steal readers' emails and passwords belonging to its properties, including Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin and Fleshbot. The stolen passwords were posted on The Pirate Bay, a Swedish-based website that indexes BitTorrent files, allowing others to compromise user accounts.
A hacking group, Gnosis, has taken responsibility for the intrusion, the company said.
As a result of the breach, Twitter has also reset affected users' passwords, but not before hundreds of thousands of Twitter accounts were compromised to spread bogus tweets promoting the so-called Acai berry diet. The fake messages were posted from Twitter accounts of individuals that used the same password for both Gawker and Twitter.
Like LinkedIn, several other companies decided to reset users' passwords as a result of the breach, including Blizzard Entertainment, maker of the popular online game World of Warcraft and search giant Yahoo.
“To help minimize the effects of this compromise – namely for players who might be using the same login information for their Gawker Media accounts and their Battle.net [World of Warcraft] accounts – we issued password-reset emails for several accounts,” Blizzard Entertainment wrote in a security alert on its website Wednesday.
Meanwhile, an analysis of the breached data by researchers at two-factor authentication provider Duo Security has revealed that easy-to-guess passwords are still favored among users. The most common password among Gawker users was “123456,” followed by “password” and “12345678.” Rounding out the top five most common passwords were “qwerty,” representing the first six letters of the keyboard layout, then “abc123.”
Gawker committed several security failures that led to the breach, one of which was the use of an antiquated encryption algorithm to protect users' passwords, Seth Hanford, operations team lead for Cisco's IntelliShield vulnerability and threat analysis team, wrote in a blog post Wednesday. The online media company was using the Digital Encryption Standard (DES), an encryption algorithm that was broken in the 1990s.
Researchers at Duo Security used a password hash cracking tool called “John the Ripper” to easily brute force the password hashes posted online by the Gawker hackers.“DES encryption of user passwords is very poor practice in 2010,” Hanford wrote.