Facebook and Other Sites Lift the Drawbridge in Reaction to Gawker Hack

Halloween fake attackThe hack into Gawker’s user database this past weekend might have seemed like a (relatively) harmless prank against a site its marauders deemed "arrogant." But it’s beginning to have some serious ripple effects. Other sites, like LinkedIn, the Gilt Groupe, and World of Warcraft are now notifying some users that their accounts are at risk of being breached.

When the hackers broke into Gawker, they didn’t just steal the email addresses and passwords of its 1.5 million—they posted that list online. That means anyone could have grabbed the list and could now be trying to use it to break into the users’ accounts—not just at Gawker, but anywhere those individuals used the same email address and password for their logins.

Which is why other sites are taking notice, and some are now sending email alerts to some of their users. The Gilt Groupe, for example, has apparently matched the list of email addresses in the Gawker hack with the list of email addresses used by their own users and sent notifications to that subset, recommending they change their passwords on Gilt.

"We are contacting you as your Gilt email address matches an email address published in the Gawker list," the email says. "As many people often use the same password for multiple sites, we strongly suggest that you change your Gilt password as well as do so on other sites where the password you have is the same as your Gawker password."

The email didn’t describe the consequences of not changing your password. But it isn't too hard to imagine. A bad actor who’d gotten a hold of the Gawker user list could use it to log into accounts on Gilt, change the password to block out the owner of the account, order a bunch of merchandise using credit card information the account owner stored with Gilt, and have it shipped to an address of the thief’s choosing.

LinkedIn went further. According to a LinkedIn notification forwarded to Fast Company, the company disabled the passwords of certain users and is requiring them to reset their passwords using the "Forgot Password?" system. "There is no indication that your LinkedIn account has been affected," the email says, "but since it shares an email with the compromised Gawker accounts, we decided to ensure its safety by asking you to reset its password."

Blizzard, the company behind World of Warcraft, also drew up their digital drawbridge, according to a note posted to its blog. Presumably, this is to ensure that only the account owner, not someone in possession of the Gawker user list, can make the password change.

Facebook has similarly suspended accounts it believes may have been compromised. "We've checked data from the Gawker incident against accounts on Facebook and are remediating all accounts that may have been impacted," a spokesperson told Fast Company via email. "This remediation includes blocking access to the account and asking the account owner to verify his or her identity and take steps to secure the account."

People who logged in to Gawker using Facebook Connect, however, don't have to be worried that their accounts are at risk. Sites that use the Connect service don't store Facebook passwords. Gawker has said, however, that they have temporarily disabled Facebook Connect logins.

If you have received similar notices from other companies, especially banks or other financial institutions, where accounts might be most vulnerable, we would like to see them. Please send copies to ideas@fastcompany.com.

[Image: Flickr user Paul Stevenson]

Follow E.B. Boyd on Twitter

Add New Comment

1 Comments

  • Brent W. Hopkins

    Sounds like this incident has boosted the credibility of Facebook Connect and OAuth as login methods. I advise people to use Roboform (windows), Last Pass (Win, Mac, Linux, Android, iPhone) or some other password manager that can generate unique strong passwords.