Gawker Media Servers Hacked, Commenters Usernames and Passwords Exposed!

If you have a commenting account on Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, or Fleshbot, you need to change your password. Over the weekend, Gawker Media servers that stores usernames and passwords used by commenter’s for the above mentioned sites were compromised. The hacker or hackers released a 500 MB file apparently containing Gawker’s source code, commenter and staff passwords, and internal conversations between the company’s employees.

Below is the statement Gawker Media has released on their website:

This weekend we discovered that Gawker Media’s servers were compromised, resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. If you’re a commenter on any of our sites, you probably have several questions.


We understand how important trust is on the internet, and we’re deeply sorry for and embarrassed about this breach of security-and of trust. We’re working around the clock to ensure our security (and our commenter’s’ account security) moving forward. We’re also committed to communicating openly and frequently with you to make sure you understand what has happened, how it may or may not affect you, and what we’re doing to make sure this never happens again.

1) How do I know if my password was hacked?

If you’ve registered an account on any Gawker Media web site (that includes Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, io9, or Fleshbot), and you didn’t log in using Facebook Connect, then it’s best to assume that your username and password were included among the leaked data.

Passwords in our database are encrypted (i.e., not stored in plain text), but they’re still potentially vulnerable to hackers. You should immediately change the password on your account, and if you used that password on any other web site, you should change your passwords on all of those accounts as well.

2) What if I logged in using Facebook Connect? Was my password compromised?

No. We never stored passwords of users who logged in using Facebook Connect.

3) What if I linked my Twitter account with my Gawker Media account? Was my Twitter password compromised?

No. We never stored Twitter passwords from users who linked their Twitter accounts with their Gawker Media account. However, if you used the same password for your Twitter account as you did on your Gawker Media account, you should change it immediately.

4) Should I be concerned about my other online accounts? What if I used that password on other sites?

If you used your Gawker Media password on any other web site, you should change the password on those sites as well, particularly if you used the same username or email with that site. To be safe, however, you should change the password on those accounts whether or not you were using the same username.

5) How can I delete my account?

We understand how important trust is on the web, and some of you may wish to delete your Gawker Media account. Currently account deletion is not available. We will, however, give you this option as soon as possible.

6) How do I change my password?

To change your password, log into your account from any Gawker Media site and 1) click on your username on the top right of the page, then 2) click the password link on your profile page. Enter your current password, a new password (and confirmation), and then click Save.

7) I don’t know my Gawker account password, and recover via email didn’t work. What’s the deal?

We had shut down email services on some servers earlier today, but service should now be restored. Please try again and make sure you check your spam filters.

8) Who was responsible for the security breach? How did it happen?

A group calling itself Gnosis has claimed credit for hacking our servers.

9) How are you notifying those whose details were compromised?

We are in the process of notifying those users who associated an email address with their Gawker accounts.

10) My password isn’t working, and I didn’t have an email associated with my account. What do I do?

We are still working through possible ways to deal with this situation. We’ll be sure to update this FAQ once we come up with a good solution.

11) What are you doing to ensure this doesn’t happen in the future?

We’re bringing in an independent security firm to improve security across our entire infrastructure. Additionally, we will continue to work with independent auditors to ensure we maintain a reliable level of security, as well as the processes necessary to ensure we maintain a safe environment for our commenter’s.