Why Gawker's Security Breach Is So Bad

This article is from the archive of our partner .

A group of hackers has infiltrated Nick Denton's Gawker Media empire in what some are calling the most damaging cyber security breach of a media company to date. The usernames, emails and passwords of up to 1.3 million registered users were published to the web over the weekend. The blogs under the Gawker Media umbrella include Gizmodo, Deadspin, Kotaku, Jezebel, i09, Jalopnik, Lifehacker and Fleshbot. A group named "Gnosis" is taking responsibility for attack, telling Mediaite: "We went after Gawker because of their outright arrogance." Many suspect this in reference to the cyber attacks waged against Gawker in July, in which Gawker taunted hackers at 4Chan.org and flaunted its ability to withstand DDOS attacks.

The hacker group also sent a message to Gawker:

Your empire has been compromised, Your servers, Your database's, Online accounts and source code have all be ripped to shreds! You wanted attention, well guess what, You've got it now!

In a post published yesterday to readers, the Gawker staff wrote: "We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems." Here's what other bloggers are saying about the attack and why it's so devastating for Gawker:

• People Must Change Their Passwords Immediately, writes Melissa Bell at The Washington Post:

All registered users of the sites need to change their passwords, as the hackers leaked the user name and passwords Sunday. If people use the same user name and password combination for other sites, including online banking sites, it could severely compromise their Internet security. To illustrate that danger, Urlesque editor Nick Douglas broke into Nick Denton's Flickr account and added a friendly reminder that Denton, the CEO of Gawker Media, should change his password.

• This Could Really Damage Peoples' Reputations, writes Felix Salmon at Reuters:

The passwords are the least damaging thing here... Gawker’s commenters were operating under the understanding that they were anonymous; now, at least 188,000 of them, and probably more in coming days, can be associated with an email address ... Many [of those e-mail addresses] can easily be traced to an individual. I can imagine more than a few commenters on Gawker and Wonkette and Fleshbot who would be mortified or possibly even fired if their identities became public. And already a list of .gov email/password combinations is being passed around to see whether those same passwords will unlock state secrets elsewhere

• This Is Bad for Gawker's Business, writes Business Insider. The biggest part might be "might be the leaking of Gawker's source code. (Source code is the computer code used to write programs.)" Why?

A big part of Gawker's success that doesn't often get mentioned is its powerful content management system (CMS), the type of software that media sites like Gawker (and Business Insider) use to publish articles. Gawker's CMS is reportedly state of the art, and the product of many iterations and learnings. With an advanced CMS, a media site can tell which articles are taking off and highlight them to viewers, maximizing pageviews and traffic to the site, which means more engaged viewers and higher ad revenue...  With that source code leaked, unscrupulous competitors can copy many of Gawker's techniques. Its CMS is a big part of its "secret sauce."

• Gawker Shouldn't Have Egged on Hackers  "Claiming publicly that something is unhackable is usually a good way to find out that it is," writes Daniel Kennedy at Forbes. "Making unnecessary statements of bravado, statements potentially divorced from reality, changes the equation for an attacker, it suddenly makes compromising your environment worth more of his or her time. Put another way, thumbing your nose at an entire world's population of crackers is usually a lousy idea."
  

• Gawker Responded Terribly, writes Business Insider. "When they became aware of the breach they didn't tell anyone until other media outlets had reported on it, even though it meant more time for hackers to compromise accounts of unsuspecting commenters." In addition, "they haven't emailed all commenters whose accounts have been compromised to tell them to change their passwords, letting unrelated startup Hint do it. And even though they've technically apologized for the whole thing, the apology doesn't sound very, well, apologetic."

• Batten Down the Electronic Hatches, Folks, writes Larry Dignan at ZDNet:

When you put the Gawker hack in context of recent events--notably the targeting of sites like Visa, Mastercard and PayPal over the Wikileaks flap--the picture gets ugly in a hurry... If a site--media, government, e-commerce or otherwise--is on the end of a cause you disagree with a denial-of-service attack (or any other attack) cannot be ruled out. At this rate, every site is going to be attacked. Gawker serves as a cautionary tale to button up your security procedures pronto. This hack-to-make-a-point approach is likely to pick up steam.

This article is from the archive of our partner The Wire.