Today, Lifehacker and Gawker confirmed the rumors that have been circulating since Saturday afternoon: a hacker group known as Gnosis has breached Gawker’s servers, harvesting over 200,000 usernames, emails and passwords along with, according to the torrent file posted on PirateBay “an additional million or so easily decryptable” usernames and passwords. Lifehacker and the rest of the Gawker blogs, which includes Fleshbot, Jezebel, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin and io9, have responded in classy fashion, posting a comprehensive, frank and measured response to the security breach. You can read all about the fate of your commenter account and which actions you should take in the Lifehacker compromised commenting account FAQ. Long story short, if you have ever registered at a Gawker site or commented on a Gawker site, you should change your password now. And not just your Lifehacker account password, but any account that also uses the same credentials (which is bad form, by the way). If you logged into a Gawker blog using Facebook Connect or your Twitter account, your credentials should be safe, according to Gawker. However, a rash of hijacked Twitter accounts tweeting about Acai berry hint towards the contrary (though this is perhaps due to users having the same login and password for Lifehacker as their Twitter account). If you’re tweaked that this is the first you’re hearing about the Lifehacker data compromise, rest assured that the Gawker tech team is on it, and are currently resetting passwords and contacting affected users. So, if you haven’t heard from Gawker yet, you will soon. As for why Gawker was hacked, it appears that there has been a longstanding feud between Gawker and Gnosis and their ilk. In the torrent file description  Gnosis taunts Gawker, saying: The script kids reference is likely an allusion to Gawker’s comments when a group of 4chan members attempted to bring Gawker down after the blog demonized the group for launching a concerted campaign of harassment on an 11-year old YouTube member. A Gawker blogger wrote of their attempts: Gnosis, however, claims no connection to 4chan or Anonymous, the group that most recently waged war against MasterCard, PayPal and Visa. At any rate, this is a fair amount of drama—unfortunately, many of us readers have been caught in the collateral damage. If anything, this should serve as a stirring reminder to always keep strong passwords, never use a universal “master” password across accounts and to be sure to change your password periodically, in case one of these data breaches goes unnoticed. If this seems like a hassle to you, then we recommend checking out a password manager, such as LastPass, which we covered earlier in our Google Chrome Extensions Power List. Also, if you are curious as to whether your email was included in the database, but don’t want to tangle with any fishy business by downloading the torrent yourself, you can run your email address through a widget put together by Slate. Personally, my email didn’t come back as compromised—but I’m still going to be changing all of my passwords, just in case my email was included among those “million or so” easily decryptable passwords, which don’t appear to be included in Slate’s database. Update: it appears that Slate’s widget does include your email, even if your password is included in encrypted form. Update: A couple reports of people getting suspicious emails re: their Gawker accounts.  Probably phishing attempts, since the release included emails as well. PLEASE BEWARE OF THIS. Do not visit any links from anyone claiming to be from Gawker or one of their blogs. Instead, visit their site directly and change your password there. There are links all over the place on their front page, you can’t miss it. Update: Upon receipt of an email notification from Gawker, it appears that I am actually in trouble, since I signed up for a Gawker account years ago with an old email address. So, that got me thinking: what else have I signed up for years ago with that same email and password that I may have forgotten about? So, in order to jog my memory, and yours, I’m going to create a massive list of online service that you may have signed up for in the past. Please add to this list if you can.

Master Accounts

GoogleYahoo!Windows LiveOpenID

Email

Gmail Yahoo! Mail HotmailWindows Live Mail Microsoft ExchangeZoho MailLavabitHushmailAIM MailGMX MailGawabInbox.comFastMail

Finance/Money

(usually have multiple layers of security, but just in case…)

Mint QuickenWesabeKivaPaypal PNCU.S. BankFifth ThirdHuntington NationalBank of the WestBBTCharles SchwabE-TradeUBSDiscoverChaseHSBCING DirectAllied BankBank of AmericaWells FargoCapital OneThriveGeezeoSimplifiPlaywithvoyantCreditKarmaFidelityTD Ameritrade

Shopping

Blogs/News

TechnoratiNYTimes.comPosterousNPR

Webmaster/Admin

TumblrSquareSpaceTypepadWordPress.comBloggerVoxXangaOther self-hosted blogsDrupalJoomlaWordPress.org (did you check ALL your self-hosted blogs?)StatcounterChartBeatGoDaddyDirectNICDotsterenomGandiJokerKey SystemsMonikerName.comNameSecure1and1A Small OrangeGatorHostBlueHostDreamHost

Photosharing

Flickr SkitchPhotobucket DotPhotoSnapfishKodak EasyShare FotkiPicasaWebshotsCare to Connect

Social Media

Facebook MySpace LinkedIn ClassmatesFriendsterNingiLikeTwitter HootSuiteTweetDeckFriendFeed

Social Bookmarking

DiggDeliciousStumbleUponReddit

Chat/Communications

SkypeAdiumAOL Instant MessengerWindows Live MessengerGoogle ChatPidginMeebo

Meetings/Scheduling/Project Management

Tungle.meManyMoonCampfireBasecampGotoMeetingDimdimWebExYugmaZoho MeetingVyew

Multimedia

iTunesNetflixYouTubeMetacafeVimeoScribdSlideShare

Other

WikipediaDropboxSugarSyncBoxCampusFoodMozyPhpBBvBulletinConstant ContactiContactExactTargetHowcastSquidoo

Mobile

YelpWords with FriendsFoursquareCrystal (i.e. Angrybirds)

Phew. That’s barely scratching the surface, I know. But it just goes to show that we sign up for an inordinate amount of services. Please contribute to this list—especially the obvious ones I missed. Comment

Δ