December 2010 Archives

Having been DDOS'd a couple of times ourselves (by Russian criminal gangs), we're not really big fans of DDOS attacks as an instrument of policy. And while Anonymous's collective heart is often in the right place, some of its members seem not to be exactly the quickest little ponies on the track. Point-and-click denial-of-service tools in the hands of the clueless: what could possibly go wrong?

The recent Gawker Media hack exposed a large number of usernames and passwords, many of which were promptly re-used by spammers for an Acai spam run on Twitter. In addition to sharing the password database, the Gnosis hacker group that pulled off the exploit also thoughtfully posted the email addresses of Gawker commenters for the benefit of any spammers who might care to use them.

Spammers have apparently now added the compromised email addresses to their mailing lists. I've just seen a Nigerian spam sent to a previously undisclosed address that was used uniquely for registration on a Gawker property. More will undoubtedly follow.

The lesson to learn from all this is that third-party user databases should be considered inherently insecure. Don't use the same username/password combination on multiple sites, and use disposable email addresses to register. That way when the site does get hacked, you aren't giving hackers and spammers the keys to some other part of your digital life and you can just dump the compromised address and move on.

Over the weekend, servers belonging to Gawker Media were compromised, and the usernames, email addresses and passwords for commenters on a number of popular sites (Lifehacker, Gizmodo, io9 etc) were posted. publicly. Although the passwords were encrypted, brute-forcing simple passwords once you have access to the password database is often a fairly simple task. As proof of this, spammers have already launched an Acai Berry spam run on Twitter by simply using usernames and passwords stolen from the Gawker databases to log in on Twitter. In a large number of cases, they seem to have succeeded. We can also expect spammers and phishers to start targeting the compromised email addresses shortly: I've already had email from one Web 2.0 startup "helpfully" letting me know about the Gawker fiasco: it's a judgment call whether that's good neighborliness or borderline spam.