Gossip site Gawker, who recently experienced a catastrophic attack that exposed the usernames and passwords of 1.3 million accounts, admits that lax security led to the breach.
The attack was carried out by a group called Gnosis, and the breach also also reportedly exposed the Twitter accounts of Gawker users who used their Twitter credentials to access the site.
“It is clear that the Gawker tech team did not adequately secure our platform from an attack of this nature. We were also not prepared to respond when it was necessary,” said Gawker's Tom Plunkett in a statement released last Friday.
Gawker and several other websites published by parent company Gizmodo now plan to implement secure sockets layer (SSL) encryption as well as requiring staff to use two-factor authentication.
Shortly after the breach, members of Gnosis posted a critique of the poor security protocols used by their target:
“Gawker uses a really outdated hashing algorithm known as DES (Data Encryption Standard). Because DES has a maximum of [eight characters] using a password like "abcdefgh1234" only the first [eight] characters "abcdefgh" are encrypted and stored in the database. If your password is longer than [eight] characters you only need to enter the first 8 characters to log in..."
Plunkett also stated that other security measures would be adopted that would further protect the confidentiality of users' private data, such as ending the practice of storing account holders email addresses:
“We should not be in the business of collecting and storing personal information, and our objective is to migrate our platform away from any personal data dependencies (like email & password)."
The repercussions of the Gawker breach have yet to be measured, and the full impact largely depends on on how Gnosis ultimately decides to use the data gleaned.
Hopefully other organizations who do not use SSL for their website interface will take note and protect their users from a similar event.
SSL enabled websites are distinguished by the presence of an "https" in URL, as opposed to an unencrypted "http" address.