Lifehacker Hack, What You Need To Do Right Now

Martin Brinkmann
Dec 13, 2010
Updated • Mar 20, 2013
Security
|
6

You may have already read it on other sites that Lifehacker and other Gawker Media properties were compromised. That's bad enough for the company and web properties they own, but also for users of the sites. You see, users needed to create an account at Lifehacker and other sites before they can comment on the site. Those who were using Facebook Connect were not affected by the hack, for every other user there is a chance that their login information were indeed compromised.

According to information posted on Mediaite nearly 1.25 million user accounts were dumped from the databases by a group called Gnosis. The group is currently cracking the database and seems to have managed to retrieve 273k passwords so far, some of which are linked to government sites.

The group promised to release the full site source code and full database dump in the next days. They did release a partial dump already. A total of 2650 users of the database have been using the password "password" or "qwerty", two of the most insecure passwords ever. Of those users one had a gov, three a mil and 52 an edu email address.

Now, what do users need to do that had an account over at Lifehacker. They need to assume that their account was hacked along with the others, and that attackers were able to crack the password.

First step is to change the password over at the Gawker media site. That's all if the username / password combination was only used on that one site. Problems arise for users who use the same username and password combination on all of their web accounts. These users need to change the password on all of their accounts.

Our tip: Install a password manager like Last Pass that can help in the generation of secure passwords and the storage of them. It is imperative to use a username / password combination only once on the web.

More information about the hack are available at Download Squad and Lifehacker.

Advertisement

Previous Post: «
Next Post: «

Comments

  1. Mithun John Jacob said on December 15, 2010 at 3:52 pm
    Reply

    They should have allowed commenting without registering, the Ghack way. Shame on them!

  2. Barbarosa said on December 14, 2010 at 6:46 pm
    Reply

    Here’s part of Woody Leonhard’s advice:
    “For starters, I wouldn’t follow the advice given on the Lifehacker site, to wit: “You should immediately change the password on your [Lifehacker] account.” Quite the contrary. I wouldn’t log on to any Gawker Media site for weeks or months, for any reason.”
    http://www.infoworld.com/t/authentication-and-authorization/act-now-minimize-the-damage-users-gawker-hack-317

    My own strategy for email security is to use a one-time throwaway email address for all websites. For most sites I use yopmail.com because its address is not traceable to me. If I want a website, like my bank, to have more direct access to me, I use a one-time account at gmail.

  3. milithruldur said on December 14, 2010 at 4:27 am
    Reply

    This recent compromise highlights important security precautions when creating accounts online and in handling associations for said accounts:

    1) NEVER use the same password for ALL accounts you may have online.

    2) If the use of same passwords cannot be prevented, then at least learn to partition passwords by categories, such as one password shared among forums / commenting sites, another for social networking sites, and a different one for email accounts and bank accounts.

    Categories are up to one’s own preferences, and they are not limited to the examples as given.

    3) Partitioning also applies to which email accounts are used to register with categorized sites.

    Effectively, partitioning helps in establishing a defense layer so that the compromise of one doesn’t mean the compromise of all others.

    4) Choose a password that is not easy to guess and that is not in a dictionary. There are multiple ways in generating a secure password, some only involve memorizing a pattern of steps for converting a simple phrase into a secure passphrase. Search for those online.

    5) Better yet, have unique passwords for all your accounts through the use of a password manager. A recommendation would be LastPass that does a great job at keeping your passwords secure, and synced among your browsers and mobile devices. gHacks has plenty of information for LastPass: https://www.ghacks.net/index.php?s=lastpass

    These are by no means complete. These are essential precautions to keep in mind while managing and securing accounts online.

    Be safe and secure.

    /m

  4. Dan said on December 14, 2010 at 2:56 am
    Reply

    I checked my LH account and thankfully it’s a randomly generated password. I’ve changed it now.

  5. MartinDK said on December 14, 2010 at 2:20 am
    Reply

    I haven’t used my account on Lifehacker/Kotaku/Jalopnik for a while, so I figured I might as well delete it now. Ah, but oh no:

    5) How can I delete my account?
    We understand how important trust is on the web, and some of you may wish to delete your Gawker Media account. Currently account deletion is not available. We will, however, give you this option as soon as possible.

    Thank you for nothing, Gawker media… >.<

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.