Posts Comments

You are here: Home / General / Analysis of the Gawker compromise

Analysis of the Gawker compromise

1 Comment

As most of you probably know, Gawker media’s servers were compromised, resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. It means that if you’ve ever had an account on any of those sites, it was compromised.

It also means that if you like to re-use your passwords, your accounts at other sites could be compromised as well (including Gmail, Twitter, Hotmail, etc).

So, if you have an account on any of those sites, make sure to change your passwords ASAP! Not only at those Gawker sites, but everywhere you used the same password!

We don’t know exactly how they got access to the site, but the attackers were “kind” enough to post a readme and tell their side of the story. You can read it here: http://sucuri.net/mirror/gawker-readme.txt

It seems it all started with one account getting stolen, followed by re-using the same password on another resources (email, basecamp, etc), followed by critical information stored on emails, followed by a mass compromise. You get the picture!

It teaches us a few lessons:
Do not re-use your passwords.Access control: Restrict access to some resources by IP address.The importance of log analysis – If they were just looking at their logs, they would have detected the compromise a lot earlier.

At a total, more than 1 million accounts were compromised (and 541,501 emails exposed). Of those emails, these are the numbers for each email service:

173941 gmail.com 101957 yahoo.com 72847 hotmail.com 20551 aol.com 8106 comcast.net 6078 msn.com 5835 mac.com 4341 sbcglobal.net 3397 hotmail.co.uk 2531 verizon.net 2204 cox.net 2174 live.com 2113 yahoo.co.uk 2050 earthlink.net 1939 yahoo.co.in 1851 aim.com 1626 mail.ru 1619 bellsouth.net 1490 googlemail.com 1045 charter.net 995 optonline.net 990 yahoo.ca 891 me.com 888 rediffmail.com 806 att.net 628 ymail.com 626 excite.com 614 juno.com 612 shaw.ca 605 btinternet.com 530 rogers.com 527 163.com 511 mail.com 446 netscape.net 439 yahoo.fr 423 yahoo.com.au 423 rocketmail.com 419 mailinator.com 383 mindspring.com 377 web.de 377 gmx.de 369 ntlworld.com 357 sympatico.ca 353 abv.bg 346 lycos.com 337 gmx.net 295 yandex.ru 285 email.com 281 pacbell.net 280 myway.com 278 mchsi.com 272 yahoo.com.ph 269 hotmail.fr 268 nyc.rr.com 265 126.com 263 insightbb.com 263 inbox.com 258 yahoo.co.id 257 nyu.edu 250 live.co.uk 247 telus.net 239 roadrunner.com 226 yahoo.de 226 netzero.net

Gmail is the big winner, with more than 150k accounts, followed by Yahoo (100k), Hotmail (70k) and AOL (20k).

There was also quite a few accounts from .gov and .mil domains compromised (army.mil is the winner with 109, followed by navy.mil and nasa.gov):

109 us.army.mil 42 navy.mil 18 usmc.mil 15 nasa.gov 10 med.navy.mil 9 va.gov 9 military.com 9 mail.house.gov 7 usps.gov 7 uscg.mil 7 irs.gov 7 cdc.gov 6 ssa.gov 6 gimail.af.mil 6 dhs.gov 5 michigan.gov 5 marauder.millersville.edu 5 mail.nih.gov 5 langley.af.mil 4 wpafb.af.mil 4 usdoj.gov 4 panynj.gov 4 fe.navy.mil 4 eglin.af.mil 4 education.tas.gov.au 4 edd.ca.gov 4 boe.ca.gov 4 bls.gov 3 za.sabmiller.com 3 whiteman.af.mil 3 us.af.mil 3 tinker.af.mil


Edit: At the time of this post, we published a list of compromised email addresses as a means for readers to easily check if they had been exploited. Due to the risk of those email addresses being used for other malicious reasons, we removed them from the post.

Another thing I found interesting is that many accounts had the same email address. Don’t know if they had fake accounts or what was it used for.

32 tips@gawker.com 23 chestshirecat@yahoo.com 13 tips@gizmodo.com 13 darkdice18@hotmail.com 12 sintaxerrors@gmail.com 10 tips@kotaku.com 10 tips@gridskipper.com 10 tips@defamer.com 10 josh@gridskipper.com 10 duh@duh.com 9 trumpkubiroyj@gmail.com 9 tips@wonkette.com 9 tips@jalopnik.com 9 layinframe2k@yahoo.com 8 synssins@gmail.com 8 joco@gawker.com 8 fallc@charter.net 7 tips@valleywag.com 7 scottysonfir3@gmail.com 7 rob6870@hotmail.com 7 poopsalotman@sbcglobal.net 7 godfather-07@hotmail.com

But, for example, tips@gawker.com had the following accounts: Gawker Jessica Jessica2 mgross kewalters jesseo jps eurotrash braftery ablagg gawktern gawkcolumnist gdelahaye pevans sintern egould dshafrir aholmes mtkacik aswerdloff jliu lneyfakh jgerson Robespierre Erica MarkDuffy Copyranter Rod Townsend Tionna Elizabeth Currid K. Kat WorthingtonMonet.

Maybe used internally or to help generate buzz in the comments?

The account chestshirecat@yahoo.com, had 20+ accounts: hom3land CallaTexodus TeresaHog OrielParis NoelleHammer SushantiTabalisha AddisonColgate AnnataFlubwib ShrimatiMabel QabilEspish RuthPhoenix LeslieNephele NanGebrony ZanipoloWolf WalterLibo AlvinaMabawza VeasnaAlcyone WilliamAtellus MelanieArvina OdetteHizer MarcusVibius SuryaCosta LarinaHaermm.

In this case, looking like a spammer…

Yes, this breach is serious stuff. Again, remember to change your passwords ASAP. In the next post we will do an analysis of the passwords used, but we are waiting to give time for people to change their passwords and take action.


View the original article at Sucuri

Related stories:

  1. Microsoft introduces two new Hotmail security features
  2. New spammer tactics – compromised accounts now favored
  3. Spammers and compromised accounts
  4. Hotmail fights back against hacked email accounts
  5. Spam outbreak makes large-scale use of compromised Yahoo, Hotmail, and AOL accounts as well as WordPress sites

Incoming search terms for the article:

@aol @comcast @hotmail @gmail @yahoo, ‎6-un-covered-miley-cyrus info, How to get password from www MovieYT com, hotmail compromised 2011, @aol @comcast @hotmail @gmail @yahoo @mail @yandex, @aol @comcast @hotmail @gmail @yahoo @yandex @mail @bk, shaw ca yahoo ca sympatico ca @ Email List filetype:txt, 2011 email contact databse @hotmail com @gmail com @yahoo com 1 OR fred, abbie@yahoo @gmail @yahoomail, @aol @comcast @hotmail @gmail @yahoo @mail @bk, @aol @comcast @hotmail @gmail @yahoo @yandex @mail, @gmail @hotmail @aol @comcast @fortosage @sbcglobal @cox @wrnind @bellsouth @charter @earthlink @juno @msn @att @allvantage @carolina @verizon @netscape @excite @asmusa @home @uninet @usa @myway @ymail @bex @live @atp, 2011 email directories @aol com msn com mailbox com mail com hotmail com yahoomail com gmail com of eleanor association in united state of america, 1 milton @sbcglobal net @charter net @cox net @bellsouth net @pacbell net 2011 emails, 9 suemaccom@aol com@yahoo com@hotmail com@us co uk com@veizon net, @aol @comcast @hotmail @gmail @yahoo @live @msn @Att @cox @aim @verizon @earthlink loc:US, find me email addresses of biologist in germany 2011or2012@yahoo gmail, acu @usdoj gov @rediffmail com 2011, @sbcglobal @aol @comcast @hotmail @live @gmail @yahoo @webmail @msn, 1 Tate @yahoo ca @shaw ca @hotmail com @aol com 2011 email leads txt

Filed Under: General Tagged With: , ,

Comments

  1. Mr.James Umu says:
    November 2, 2011 at 22:07

    Attention Beneficiary:

    This is to officially inform you that we have verified your Contract/inheritance fund file and found out that you have not received your Fund $12.5M. You will receive it through ATM CARD, reconfirm this following

    {1} your full name

    (2} your full address

    (3} your direct telephone number.

    Regards.
    Mr.James Umu
    Director, Foreign Operation
    ATM Card Dept Zenith Bank Ltd,

Speak Your Mind

*