Gossip website Gawker experienced a massive breach, exposing the usernames and passwords of 1.3 million accounts.
The attack was carried out by a group called Gnosis, who posted the following statement in a Torrent file:
"[Fu**] you Gawker, how’s this for ‘script kids’? Your empire has been compromised. Your servers, your database's, online accounts, and source code have all [been] ripped to shreds! You wanted attention; well guess what, you’ve got it now!"
The breach has also reportedly exposed the Twitter accounts of Gawker users who used their Twitter credentials to access the site.
Gawker has apologized to users for the lapse in security, and urged all account holders to change their login credentials immediately.
“The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. And, yes, the irony is not lost on us.”
Gawker said the login credentials were encrypted, but security experts believe simple passwords could be overcome with a brute force attack, because only the first eight characters of a password are actually encrypted.
Gnosis published an analysis of the weakness:
“Gawker uses a really outdated hashing algorithm known as DES (Data Encryption Standard). Because DES has a maximum of [eight characters] using a password like "abcdefgh1234" only the first [eight] characters "abcdefgh" are encrypted and stored in the database. If your password is longer than [eight] characters you only need to enter the first 8 characters to log in..."