When a corporation screws up and your account information is compromised by “unauthorized access” (code for “someone broke into our database and stole your data”), current law seems to side with the corporate behemoths. They send you an “oops, we’re sorry” email and you have to suck it up. Liability? Seems AWOL.
This weekend, Gawker lost all information on about 1.3 million user accounts; that includes email and passwords. Shortly thereafter, many Twitter and Facebook accounts became spammers for Acai Berry. I sent a note to a Facebook friend at 4 pm advising him that his account seemed hacked (but not by Acai Berry). Gawker got around to telling me about this Monday night.
Also on Monday, McDonald’s pointed the finger at an undisclosed contractor when it acknowledged that customer “e-mail and other contact information, birthdates and other specifics” had been lost. McDonald’s refuses to say how many accounts are now in the wild but acknowledges that its long-time partner, Arc Worldwide (the “marketing services arm” of Leo Burnett) had farmed out the work.
On Friday, Walgreen told an undisclosed number of mailing list customers that it had lost their personal information. Again, a refusal to acknowledge the extent of the breach and no information on the company responsible.
My Gawker Story
This afternoon, when I tried to access gmail, Google wouldn’t accept my password. After typing it three times, I gave up and clicked the “forgot password?” link. Google asked me for the phone number associated with my account (yeah, I’m glad I added one) and sent me a text message with a numeric code. Enter the numeric code to unlock door number one, which was a demand that I create a new password. That activity done, Google unlocked door number two and I was able to send an email.
It’s been a busy/crazy day near the end of a trying year. A few minutes ago, when I logged in to read email, I learned that Gawker had sent me an email at 5.59 pm with the subject line, Gawker Comment Accounts Compromised — Important.
This weekend we discovered that Gawker Media’s servers were compromised, resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name and password associated with your comment account were released on the internet. If you’re a commenter on any of our sites, you probably have several questions.
We understand how important trust is on the internet, and we’re deeply sorry for and embarrassed about this breach of security. Right now we are working around the clock to improve security moving forward. We’re also committed to communicating openly and frequently with you to make sure you understand what has happened, how it may or may not affect you, and what we’re doing to fix things.
This is what you should do immediately: Try to change your password in the Gawker Media Commenting System. If you used your Gawker Media password on any other web site, you should change the password on those sites as well, particularly if you used the same username or email with that site. To be safe, however, you should change the password on those accounts whether or not you were using the same username.
We’re continually updating an FAQ (http://lifehac.kr/eUBjVf) with more information and will continue to do so in the coming days and weeks.
You are receiving this email because your email address was associated with a Gawker Media user account. We are using this list only for the purpose of sending you this important notification.
Pardon me? THIS WEEKEND? And you don’t tell me about it until after the close of business on Monday?
Gawker Media’s actions are all the more crazy (read irresponsible) since someone with the email handle “SorryAboutThis” sent me a mail Sunday, 20 hours before Gawker did, telling me that my Gawker account had been hacked.
I am not officially from Lifehacker, Gawker, or Gizmodo, but I wanted to let you know that your account info, including name, password, and email for these places is now floating around the internet. If you used the same password for anything else, including Facebook, email, or a bank account, you should probably change it.
Here are some details that the MSM and wire services have left out of their reporting:
- Salon: “Nearly 1.25 million accounts, including more than 500,000 user e-mails and more than 185,000 decrypted passwords, were posted to the Pirate Bay.”
- LifeHacker: It’s not possible to delete your Gawker account.
- WalletPop: MSM might not be naming names, but McDonald’s handed this work over to Leo Burnett — the ninth largest agency in the world 10 years ago. Its marketing arm, in turn, hired another firm to coordinate and distribute emails and that firm is the one that lost your personal data.
- Forbes: Gawker has no one to blame but itself. The founder, Nick Denton, noticed suspicious behavior in November, And Did Nothing.
analysis of the file released by the crackers themselves indicates that the breach extends to employees of Gawker, includes credentials for internal systems (Google applications, collaboration tools) used at the company, includes a leak of Gawker’s custom source code, includes credentials of Gawker employees for other web sites, includes FTP credentials for other web sites Gawker has worked with, includes access to Gawker’s statistics web site, and includes the e-mails of a number of the users who left comments at Gawker as well as users of lifehacker.com, kotaku.com, and gizmodo.com.
The evidence also suggests the attackers have had access to Gawker’s internal systems for a period of time that is at least a month, and that they gained root level access to servers the Gawker Media web properties are hosted on.
McDonald’s and Walgreen
The LA Times reports “unauthorized access” at McDonald’s to personal information given by customers, in good faith, to the fast-food giant website or its (one assumes, offline) promotions. When MickyD reported the breach on Monday:
McDonald’s was quick to note that no financial or sensitive personal information was swiped by cyber criminals who broke into computer systems operated by an outside firm used to manage a customer email database.
“Limited customer information collected in connection with certain McDonald’s websites and promotions was obtained by an unauthorized third party,” McDonald’s said in an email response to an AFP inquiry.
Is a breach of personal information truly “limited” if someone can confirm that a birthdate is associated with an email address? Because the McDonald’s breach included “e-mail and other contact information, birthdates and other specifics.”
Who was the “outside firm”? Were their security measures as poor as Gawker’s? Where these data in the cloud or on servers owned/managed by the “outside firm”?
At Walgreen drug stores, the breach was subscribers to an email distribution list. Lest you think just having your email address is only a minor security breach, the company reported that subscribers to its “e-mail distribution list should be on the lookout for spam directing them to another site and then asking for personal data.”
What You Can Do
Not sure if you ever created an account on a Gawker property? Use this widget from Salon to check your email addresses.
Going forward, some suggestions:
- Set up an email address that you only use for public comments and/or email from corporations, nonprofits and political candidates. This is a do as I say, not as I only sometimes do … because, well, sometimes we want our comments to be associated with our primary persona. This may be a luxury that we can’t afford, especially given the cavalier attitude Gawker Media took towards us “peasants.”
- Another way to limit your exposure: tighten up your passwords. Yeah, I can hear you. I’ve been known to use “password” as the password on accounts where I Do Not Care if someone poses as me. You know, like at LifeHacker or Gizmodo. (For the record, I do not know what the password on the account was.) You can manage this in a pretty straightforward way with a tool like LastPass.
- When possible, comment on public websites by logging in with your OpenID (if you have a WordPress.com blog, you have an OpenID), Google, Facebook or Twitter accounts. Sites are not supposed to be able to see your passwords for those accounts, so they aren’t being stored in someone else’s database. Resist the invitation to create an account, especially when that requires a second step after you’ve logged in with an external service. Complain about the demand to actually create a new account with email and password and such: we log in with “trusted” accounts so that we don’t have to create yet-another-account.
- Join me in demanding that banks get with the 21st century and allow customers to create secure passwords! Every one of my commercial banking accounts — with the exception of PayPal — will NOT allow me to use a special character in the password!
Finally, start talking to your state legislators and Congress critters about the need for corporate liability when personal information is released in as egregious manner as Gawker’s appears to have been.